Windows Analysis Report
dstream.log.exe

Overview

General Information

Sample name:	dstream.log.exe
Analysis ID:	1467957
MD5:	fb1d8d0ba73b7d30b38057853705b160
SHA1:	5b36e28d52a1ac061a0653d23baf5277cb543568
SHA256:	ca7a8be040371db76cadba7e926c9d98ab61a8b8e7e6d39f6e015fca6cb5bab4
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: dstream.log.exe	Virustotal: Detection: 36%			Perma Link
Source: dstream.log.exe	ReversingLabs: Detection: 37%

Machine Learning detection for sample

Source: dstream.log.exe

Joe Sandbox ML: detected

Source: dstream.log.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\A\18\s\PCbuild\amd64\python37.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmp, python37.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_bz2.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ctypes.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\unicodedata.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:40:20 2020 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-1_1"not available source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_asyncio.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\pyexpat.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_socket.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ssl.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5374000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_overlapped.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\select.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdbNN source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_hashlib.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_elementtree.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _elementtree.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_queue.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb$$ source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_multiprocessing.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.0.dr

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D8370 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF7BC6D8370
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD943BAD7C FindFirstFileW,FindClose,		2_2_00007FFD943BAD7C

Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe.0.dr	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://json.org
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: python37.dll.0.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r(
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.megginson.com/SAX/.
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.nightmare.com/squirl/python-ext/misc/syslog.py
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.python.org/
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe, 00000002.00000002.2261749406.0000028B1C270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.rfc-editor.org/rfc/rfc%d.txtz(http://www.python.org/dev/peps/pep-%04d/r2
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.robotstxt.org/norobots-rfc.txt
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208z
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe.0.dr	String found in binary or memory: http://wwwsearch.sf.net/):
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz
Source: rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org
Source: rundatastream.exe	String found in binary or memory: http://xml.org/sax/properties/lexical-handlerz1http://xml.org/sax/properties/declaration-handlerz&ht
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.python.org/entities/fragment-builder/internalz
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xmlrpc.usefulinc.com/doc/reserved.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C53DE000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0506/

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

Code function: 2_2_00007FFD943BFE88: DeviceIoControl,

2_2_00007FFD943BFE88

Detected potential crypto function

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CAC90	0_2_00007FF7BC6CAC90
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D7190	0_2_00007FF7BC6D7190
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C8D80	0_2_00007FF7BC6C8D80
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2D70	0_2_00007FF7BC6C2D70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D11C0	0_2_00007FF7BC6D11C0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C15A0	0_2_00007FF7BC6C15A0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C7E70	0_2_00007FF7BC6C7E70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D3E70	0_2_00007FF7BC6D3E70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6DF668	0_2_00007FF7BC6DF668
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2250	0_2_00007FF7BC6C2250
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C4250	0_2_00007FF7BC6C4250
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C7A30	0_2_00007FF7BC6C7A30
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D0E28	0_2_00007FF7BC6D0E28
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C3F00	0_2_00007FF7BC6C3F00
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D06C8	0_2_00007FF7BC6D06C8
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D02C0	0_2_00007FF7BC6D02C0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6DBB70	0_2_00007FF7BC6DBB70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D8370	0_2_00007FF7BC6D8370
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2B60	0_2_00007FF7BC6C2B60
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D7810	0_2_00007FF7BC6D7810
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6DC00C	0_2_00007FF7BC6DC00C
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C63F0	0_2_00007FF7BC6C63F0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D1C88	0_2_00007FF7BC6D1C88
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2080	0_2_00007FF7BC6C2080
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D1850	0_2_00007FF7BC6D1850
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C9430	0_2_00007FF7BC6C9430
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D6CFC	0_2_00007FF7BC6D6CFC
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D04C4	0_2_00007FF7BC6D04C4
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942C4C64	2_2_00007FFD942C4C64
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942C4654	2_2_00007FFD942C4654
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942D000C	2_2_00007FFD942D000C
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD944267EC	2_2_00007FFD944267EC
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942DA950	2_2_00007FFD942DA950
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942E1990	2_2_00007FFD942E1990
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942E1A99	2_2_00007FFD942E1A99
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942CF2E0	2_2_00007FFD942CF2E0
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD944262E0	2_2_00007FFD944262E0
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942CEB20	2_2_00007FFD942CEB20
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942E5370	2_2_00007FFD942E5370
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942C1414	2_2_00007FFD942C1414
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFDA4336E04	2_2_00007FFDA4336E04

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD944487F4 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD942D9420 appears 193 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD943054EC appears 227 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD944512A8 appears 75 times

Sample file is different than original file name gathered from version info

Source: dstream.log.exe	Binary or memory string: OriginalFilename vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerundatastream.exe< vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C53DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerundatastream.exe< vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_elementtree.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython37.dll. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs dstream.log.exe
Source: dstream.log.exe	Binary or memory string: OriginalFilenamerundatastream.exe< vs dstream.log.exe

Source: classification engine

Classification label: mal52.evad.winEXE@16/24@0/0

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6CAB70 GetProcessId,GenerateConsoleCtrlEvent,GetLastError,FormatMessageA,WaitForSingleObject,CloseHandle,SHFileOperationW,

0_2_00007FF7BC6CAB70

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03

Source: C:\Users\user\Desktop\dstream.log.exe

File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783

Jump to behavior

Source: dstream.log.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dstream.log.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rundatastream.exe

Binary or memory string: Insert thousands separators into a digit string. spec is a dictionary whose keys should include 'thousands_sep' and 'grouping'; typically it's the result of parsing the format specifier using _parse_format_specifier. The min_width keyword arg

Source: dstream.log.exe	Virustotal: Detection: 36%
Source: dstream.log.exe	ReversingLabs: Detection: 37%

Source: rundatastream.exe	String found in binary or memory: Fused multiply-add. Returns selfother+third with no rounding of the intermediate product selfother. self and other are multiplied together, with no rounding of the result. The third operand is then added to the result,
Source: rundatastream.exe	String found in binary or memory: The name of the reverse DNS pointer for the IP address, e.g.: >>> ipaddress.ip_address("127.0.0.1").reverse_pointer '1.0.0.127.in-addr.arpa' >>> ipaddress.ip_address("2001:db8::1").reverse_pointer '1.0.0.0.0.0.0.
Source: rundatastream.exe	String found in binary or memory: v v Request-started Req-sent-unread-response \| \| response.read() v Request-sent This diagram presents the following rules: -
Source: rundatastream.exe	String found in binary or memory: helpz#use -h/--help for command line helprA
Source: rundatastream.exe	String found in binary or memory: helpz#use -h/--help for command line helprA
Source: rundatastream.exe	String found in binary or memory: \| response.read() \| putrequest() v v Idle Req-started-unread-response ______/\| / \| response.read() \| \| ( putheader() )* endheaders()
Source: rundatastream.exe	String found in binary or memory: ransitions: (null) \| \| HTTPConnection() v Idle \| \| putrequest() v Request-started \| \| ( putheader() )* endheaders() v Request-sent \|\_____________________________ \|
Source: rundatastream.exe	String found in binary or memory: .ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm AIX supports two styles for dlopen(): svr4 (System V Release 4) which is common on posix pla
Source: rundatastream.exe	String found in binary or memory: ------ Idle _CS_IDLE None Request-started _CS_REQ_STARTED None Request-sent _CS_REQ_SENT None Unread-response _CS_IDLE <response_class> Req-started-unread-re
Source: rundatastream.exe	String found in binary or memory: for more digits precision -u/--unit: set the output time unit (nsec, usec, msec, or sec) -h/--help: print this usage message and exit --: separate options from statement, use when statement starts with - statement: statement to be timed (default 'pass
Source: rundatastream.exe	String found in binary or memory: for more digits precision -u/--unit: set the output time unit (nsec, usec, msec, or sec) -h/--help: print this usage message and exit --: separate options from statement, use when statement starts with - statement: statement to be timed (default 'pass
Source: rundatastream.exe	String found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: rundatastream.exe	String found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: rundatastream.exe	String found in binary or memory: null addr-spec in angle-addrz*obsolete route specification in angle-addrz.expected addr-spec or obs-route but found '{}'z"missing trailing '>' on angle-addr) rr
Source: rundatastream.exe	String found in binary or memory: angle-addr-startrk
Source: rundatastream.exe	String found in binary or memory: angle-addr-startrk
Source: rundatastream.exe	String found in binary or memory: Enable the SMTPUTF8 extension and behave as an RFC 6531 smtp proxy. --debug -d Turn on debugging prints. --help -h Print this message and exit. Version: %(__version__)s If localhost is not given then `localhost' is used
Source: rundatastream.exe	String found in binary or memory: Enable the SMTPUTF8 extension and behave as an RFC 6531 smtp proxy. --debug -d Turn on debugging prints. --help -h Print this message and exit. Version: %(__version__)s If localhost is not given then `localhost' is used
Source: rundatastream.exe	String found in binary or memory: address_list = (address ("," address)) / obs-addr-list obs-addr-list = ([CFWS] ",") address *("," [address / CFWS]) We depart from the formal grammar here by continuing to parse until the end of the input, assuming the input to be entirely
Source: rundatastream.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: rundatastream.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: rundatastream.exe	String found in binary or memory: can't send non-None value to a just-started coroutine

Source: C:\Users\user\Desktop\dstream.log.exe

File read: C:\Users\user\Desktop\dstream.log.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dstream.log.exe "C:\Users\user\Desktop\dstream.log.exe"
Source: C:\Users\user\Desktop\dstream.log.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe "C:\Users\user\Desktop\dstream.log.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del msupdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell .\image3.jpg:msupdate.exe
Source: C:\Users\user\Desktop\dstream.log.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe "C:\Users\user\Desktop\dstream.log.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell .\image3.jpg:msupdate.exe	Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: python37.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wpdshext.dll	Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: dstream.log.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: dstream.log.exe

Static file information: File size 5161736 > 1048576

Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dstream.log.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: dstream.log.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\A\18\s\PCbuild\amd64\python37.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmp, python37.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_bz2.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ctypes.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\unicodedata.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:40:20 2020 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-1_1"not available source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_asyncio.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\pyexpat.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_socket.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ssl.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5374000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_overlapped.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\select.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdbNN source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_hashlib.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_elementtree.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _elementtree.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_queue.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb$$ source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_multiprocessing.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.0.dr

Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: dstream.log.exe	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: vcruntime140.dll.0.dr	Static PE information: section name: _RDATA
Source: rundatastream.exe.0.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

Code function: 2_2_00007FFD942DDB54 push 8B4C0005h; retf

2_2_00007FFD942DDB59

Drops PE files

Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\python37.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\dstream.log.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2569			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2662			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep count: 2569 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep count: 2662 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\dstream.log.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D8370 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF7BC6D8370
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD943BAD7C FindFirstFileW,FindClose,		2_2_00007FFD943BAD7C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6CBD58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7BC6CBD58

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6DA11C GetProcessHeap,

0_2_00007FF7BC6DA11C

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CBD58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7BC6CBD58
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CB600 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7BC6CB600
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CBF3C SetUnhandledExceptionFilter,	0_2_00007FF7BC6CBF3C
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D48F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7BC6D48F0
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD9431CC44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFD9431CC44
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFDA433CCD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFDA433CCD8

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell .\image3.jpg:msupdate.exe	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6C51C0 cpuid

0_2_00007FF7BC6C51C0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6CA440 GetSystemTimeAsFileTime,

0_2_00007FF7BC6CA440

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.18	true

AV Detection

Multi AV Scanner detection for submitted file

Source: dstream.log.exe	Virustotal: Detection: 36%			Perma Link
Source: dstream.log.exe	ReversingLabs: Detection: 37%

Machine Learning detection for sample

Source: dstream.log.exe

Joe Sandbox ML: detected

Source: dstream.log.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\A\18\s\PCbuild\amd64\python37.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmp, python37.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_bz2.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ctypes.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\unicodedata.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:40:20 2020 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-1_1"not available source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_asyncio.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\pyexpat.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_socket.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ssl.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5374000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_overlapped.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\select.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdbNN source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_hashlib.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_elementtree.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _elementtree.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_queue.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb$$ source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_multiprocessing.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.0.dr

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D8370 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF7BC6D8370
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD943BAD7C FindFirstFileW,FindClose,		2_2_00007FFD943BAD7C

Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe.0.dr	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://json.org
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: python37.dll.0.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r(
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.megginson.com/SAX/.
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.nightmare.com/squirl/python-ext/misc/syslog.py
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.python.org/
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe, 00000002.00000002.2261749406.0000028B1C270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.rfc-editor.org/rfc/rfc%d.txtz(http://www.python.org/dev/peps/pep-%04d/r2
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.robotstxt.org/norobots-rfc.txt
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208z
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe.0.dr	String found in binary or memory: http://wwwsearch.sf.net/):
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz
Source: rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org
Source: rundatastream.exe	String found in binary or memory: http://xml.org/sax/properties/lexical-handlerz1http://xml.org/sax/properties/declaration-handlerz&ht
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.python.org/entities/fragment-builder/internalz
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xmlrpc.usefulinc.com/doc/reserved.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C53DE000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0506/

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

Code function: 2_2_00007FFD943BFE88: DeviceIoControl,

2_2_00007FFD943BFE88

Detected potential crypto function

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CAC90	0_2_00007FF7BC6CAC90
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D7190	0_2_00007FF7BC6D7190
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C8D80	0_2_00007FF7BC6C8D80
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2D70	0_2_00007FF7BC6C2D70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D11C0	0_2_00007FF7BC6D11C0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C15A0	0_2_00007FF7BC6C15A0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C7E70	0_2_00007FF7BC6C7E70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D3E70	0_2_00007FF7BC6D3E70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6DF668	0_2_00007FF7BC6DF668
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2250	0_2_00007FF7BC6C2250
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C4250	0_2_00007FF7BC6C4250
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C7A30	0_2_00007FF7BC6C7A30
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D0E28	0_2_00007FF7BC6D0E28
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C3F00	0_2_00007FF7BC6C3F00
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D06C8	0_2_00007FF7BC6D06C8
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D02C0	0_2_00007FF7BC6D02C0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6DBB70	0_2_00007FF7BC6DBB70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D8370	0_2_00007FF7BC6D8370
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2B60	0_2_00007FF7BC6C2B60
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D7810	0_2_00007FF7BC6D7810
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6DC00C	0_2_00007FF7BC6DC00C
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C63F0	0_2_00007FF7BC6C63F0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D1C88	0_2_00007FF7BC6D1C88
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2080	0_2_00007FF7BC6C2080
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D1850	0_2_00007FF7BC6D1850
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C9430	0_2_00007FF7BC6C9430
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D6CFC	0_2_00007FF7BC6D6CFC
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D04C4	0_2_00007FF7BC6D04C4
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942C4C64	2_2_00007FFD942C4C64
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942C4654	2_2_00007FFD942C4654
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942D000C	2_2_00007FFD942D000C
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD944267EC	2_2_00007FFD944267EC
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942DA950	2_2_00007FFD942DA950
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942E1990	2_2_00007FFD942E1990
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942E1A99	2_2_00007FFD942E1A99
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942CF2E0	2_2_00007FFD942CF2E0
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD944262E0	2_2_00007FFD944262E0
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942CEB20	2_2_00007FFD942CEB20
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942E5370	2_2_00007FFD942E5370
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942C1414	2_2_00007FFD942C1414
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFDA4336E04	2_2_00007FFDA4336E04

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD944487F4 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD942D9420 appears 193 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD943054EC appears 227 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD944512A8 appears 75 times

Sample file is different than original file name gathered from version info

Source: dstream.log.exe	Binary or memory string: OriginalFilename vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerundatastream.exe< vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C53DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerundatastream.exe< vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_elementtree.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython37.dll. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs dstream.log.exe
Source: dstream.log.exe	Binary or memory string: OriginalFilenamerundatastream.exe< vs dstream.log.exe

Source: classification engine

Classification label: mal52.evad.winEXE@16/24@0/0

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6CAB70 GetProcessId,GenerateConsoleCtrlEvent,GetLastError,FormatMessageA,WaitForSingleObject,CloseHandle,SHFileOperationW,

0_2_00007FF7BC6CAB70

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03

Source: C:\Users\user\Desktop\dstream.log.exe

File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783

Jump to behavior

Source: dstream.log.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dstream.log.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rundatastream.exe

Source: dstream.log.exe	Virustotal: Detection: 36%
Source: dstream.log.exe	ReversingLabs: Detection: 37%

Source: rundatastream.exe	String found in binary or memory: Fused multiply-add. Returns selfother+third with no rounding of the intermediate product selfother. self and other are multiplied together, with no rounding of the result. The third operand is then added to the result,
Source: rundatastream.exe	String found in binary or memory: The name of the reverse DNS pointer for the IP address, e.g.: >>> ipaddress.ip_address("127.0.0.1").reverse_pointer '1.0.0.127.in-addr.arpa' >>> ipaddress.ip_address("2001:db8::1").reverse_pointer '1.0.0.0.0.0.0.
Source: rundatastream.exe	String found in binary or memory: v v Request-started Req-sent-unread-response \| \| response.read() v Request-sent This diagram presents the following rules: -
Source: rundatastream.exe	String found in binary or memory: helpz#use -h/--help for command line helprA
Source: rundatastream.exe	String found in binary or memory: helpz#use -h/--help for command line helprA
Source: rundatastream.exe	String found in binary or memory: \| response.read() \| putrequest() v v Idle Req-started-unread-response ______/\| / \| response.read() \| \| ( putheader() )* endheaders()
Source: rundatastream.exe	String found in binary or memory: ransitions: (null) \| \| HTTPConnection() v Idle \| \| putrequest() v Request-started \| \| ( putheader() )* endheaders() v Request-sent \|\_____________________________ \|
Source: rundatastream.exe	String found in binary or memory: .ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm AIX supports two styles for dlopen(): svr4 (System V Release 4) which is common on posix pla
Source: rundatastream.exe	String found in binary or memory: ------ Idle _CS_IDLE None Request-started _CS_REQ_STARTED None Request-sent _CS_REQ_SENT None Unread-response _CS_IDLE <response_class> Req-started-unread-re
Source: rundatastream.exe	String found in binary or memory: for more digits precision -u/--unit: set the output time unit (nsec, usec, msec, or sec) -h/--help: print this usage message and exit --: separate options from statement, use when statement starts with - statement: statement to be timed (default 'pass
Source: rundatastream.exe	String found in binary or memory: for more digits precision -u/--unit: set the output time unit (nsec, usec, msec, or sec) -h/--help: print this usage message and exit --: separate options from statement, use when statement starts with - statement: statement to be timed (default 'pass
Source: rundatastream.exe	String found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: rundatastream.exe	String found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: rundatastream.exe	String found in binary or memory: null addr-spec in angle-addrz*obsolete route specification in angle-addrz.expected addr-spec or obs-route but found '{}'z"missing trailing '>' on angle-addr) rr
Source: rundatastream.exe	String found in binary or memory: angle-addr-startrk
Source: rundatastream.exe	String found in binary or memory: angle-addr-startrk
Source: rundatastream.exe	String found in binary or memory: Enable the SMTPUTF8 extension and behave as an RFC 6531 smtp proxy. --debug -d Turn on debugging prints. --help -h Print this message and exit. Version: %(__version__)s If localhost is not given then `localhost' is used
Source: rundatastream.exe	String found in binary or memory: Enable the SMTPUTF8 extension and behave as an RFC 6531 smtp proxy. --debug -d Turn on debugging prints. --help -h Print this message and exit. Version: %(__version__)s If localhost is not given then `localhost' is used
Source: rundatastream.exe	String found in binary or memory: address_list = (address ("," address)) / obs-addr-list obs-addr-list = ([CFWS] ",") address *("," [address / CFWS]) We depart from the formal grammar here by continuing to parse until the end of the input, assuming the input to be entirely
Source: rundatastream.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: rundatastream.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: rundatastream.exe	String found in binary or memory: can't send non-None value to a just-started coroutine

Source: C:\Users\user\Desktop\dstream.log.exe

File read: C:\Users\user\Desktop\dstream.log.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dstream.log.exe "C:\Users\user\Desktop\dstream.log.exe"
Source: C:\Users\user\Desktop\dstream.log.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe "C:\Users\user\Desktop\dstream.log.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del msupdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell .\image3.jpg:msupdate.exe
Source: C:\Users\user\Desktop\dstream.log.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe "C:\Users\user\Desktop\dstream.log.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell .\image3.jpg:msupdate.exe	Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: python37.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wpdshext.dll	Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: dstream.log.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: dstream.log.exe

Static file information: File size 5161736 > 1048576

Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dstream.log.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: dstream.log.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\A\18\s\PCbuild\amd64\python37.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmp, python37.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_bz2.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ctypes.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\unicodedata.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:40:20 2020 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-1_1"not available source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_asyncio.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\pyexpat.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_socket.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ssl.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5374000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_overlapped.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\select.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdbNN source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_hashlib.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_elementtree.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _elementtree.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_queue.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb$$ source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_multiprocessing.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.0.dr

Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: dstream.log.exe	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: vcruntime140.dll.0.dr	Static PE information: section name: _RDATA
Source: rundatastream.exe.0.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

Code function: 2_2_00007FFD942DDB54 push 8B4C0005h; retf

2_2_00007FFD942DDB59

Drops PE files

Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\python37.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\dstream.log.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2569			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2662			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep count: 2569 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep count: 2662 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\dstream.log.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D8370 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF7BC6D8370
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD943BAD7C FindFirstFileW,FindClose,		2_2_00007FFD943BAD7C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6CBD58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7BC6CBD58

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6DA11C GetProcessHeap,

0_2_00007FF7BC6DA11C

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CBD58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7BC6CBD58
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CB600 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7BC6CB600
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CBF3C SetUnhandledExceptionFilter,	0_2_00007FF7BC6CBF3C
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D48F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7BC6D48F0
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD9431CC44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFD9431CC44
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFDA433CCD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFDA433CCD8

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell .\image3.jpg:msupdate.exe	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6C51C0 cpuid

0_2_00007FF7BC6C51C0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6CA440 GetSystemTimeAsFileTime,

0_2_00007FF7BC6CA440

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

ID:	1467957
Product:	CloudBasic
Start time:	06:47:13
Start date:	05.07.2024
Sample:	dstream.log.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fb1d8d0ba73b7d30b38057853705b160
SHA1:	5b36e28d52a1ac061a0653d23baf5277cb543568
SHA256:	ca7a8be040371db76cadba7e926c9d98ab61a8b8e7e6d39f6e015fca6cb5bab4
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	D9ADDC8BC71EE61261940D67A7EFF73A	44DABE2479B4D251FC348A7198B3F5665BC48F5C	3945C70445A1C3E3E162F1EE5EBBD03C93D3D4483316AE2AF1D9C025D0B204A7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0s1cbyv.0vl.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zl0ett3z.0ks.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	3A9762EE38BFAC66D381270C80D8B787	44036D492A5BB4A8EDFC5DDF3EE84772C74A77ED	9531365763F8BBFF9FA7E18EABEFE866F99EA4B8E127B265A8952E16217C61E1
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	CF77513525FC652BAD6C7F85E192E94B	23EC3BB9CDC356500EC192CAC16906864D5E9A81	8BCE02E8D44003C5301608B1722F7E26AADA2A03D731FA92A48C124DB40E2E41
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	5E869EEBB6169CE66225EB6725D5BE4A	747887DA0D7AB152E1D54608C430E78192D5A788	430F1886CAF059F05CDE6EB2E8D96FEB25982749A151231E471E4B8D7F54F173
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	75A0542682D8F534F4A1BA48EB32218F	A9B878F45B575A0502003EBCFE3D6EB9AC7DD126	5767525D2CDD2A89DE97A11784EC0769C30935302C135F087B09894F8865BE8B
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	7D0C4AB57FDC1BD30C0E8E42CCC2AA35	81BFF07B6B5DD843E2227A3E8054500CFEC65983	EE8C4A8FE8EAA918A4FEE353D46F4191BD161582098B400C33220847D84797DB
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	B32CB9615A9BADA55E8F20DCEA2FBF48	A9C6E2D44B07B31C898A6D83B7093BF90915062D	CA4F433A68C3921526F31F46D8A45709B946BBD40F04A4CFC6C245CB9EE0EAB5
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	5FBB728A3B3ABBDD830033586183A206	066FDE2FA80485C4F22E0552A4D433584D672A54	F9BC6036D9E4D57D08848418367743FB608434C04434AB07DA9DABE4725F9A9B
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	3CF091905D3CC49070B0C39848F0D48B	888716F84768545A3B21B36CA0BE2D52D22F9F8A	7A0A1D04A326E21636A08F5F9772625F8B07BA1CE3FB2C78052BEC3CF795704A
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	F22850F077950F7566B4C6C15A184BF3	E200F6BA1378CAEED367C9A365B13232919F1DFA	EFE043D0FC7C922968F44469FD70FDBB49569D8CA8AF82AAEA796F5B687F5660
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	C0A70188685E44E73576E3CD63FC1F68	36F88CA5C1DDA929B932D656368515E851AEB175	E499824D58570C3130BA8EF1AC2D503E71F916C634B2708CC22E95C223F83D0A
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	8EA18D0EEAE9044C278D2EA7A1DBAE36	DE210842DA8CB1CB14318789575D65117D14E728	9822C258A9D25062E51EAFC45D62ED19722E0450A212668F6737EB3BFE3A41C2
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	5A393BB4F3AE499541356E57A766EB6A	908F68F4EA1A754FD31EDB662332CF0DF238CF9A	B6593B3AF0E993FD5043A7EAB327409F4BF8CDCD8336ACA97DBE6325AEFDB047
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	CC4CBF715966CDCAD95A1E6C95592B3D	D5873FEA9C084BCC753D1C93B2D0716257BEA7C3	594303E2CE6A4A02439054C84592791BF4AB0B7C12E9BBDB4B040E27251521F1
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BC778F33480148EFA5D62B2EC85AAA7D	B1EC87CBD8BC4398C6EBB26549961C8AAB53D855	9D4CF1C03629F92662FC8D7E3F1094A7FC93CB41634994464B853DF8036AF843
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	6500AA010C8B50FFD1544F08AF03FA4F	A03F9F70D4ECC565F0FAE26EF690D63E3711A20A	752CF6804AAC09480BF1E839A26285EC2668405010ED7FFD2021596E49B94DEC
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\python37.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	C4709F84E6CF6E082B80C80B87ABE551	C0C55B229722F7F2010D34E26857DF640182F796	CA8E39F2B1D277B0A24A43B5B8EADA5BAF2DE97488F7EF2484014DF6E270B3F3
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	PE32+ executable (GUI) x86-64, for MS Windows	1A57E40A51FBFBDA36DBCB8F7F107F05	5EC003E5A626809B6F3E8A0FCB7A58B5052EC0EE	824A954BA7D3527E06A20AF8B81AAC9F7546250BDFD8326C2B05D6F297A1A347
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	FB4A0D7ABAEAA76676846AD0F08FEFA5	755FD998215511506EDD2C5C52807B46CA9393B2	65A3C8806D456E9DF2211051ED808A087A96C94D38E23D43121AC120B4D36429
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	4D3D8E16E98558FF9DAC8FC7061E2759	C918AB67B580F955B6361F9900930DA38CEC7C91	016D962782BEAE0EA8417A17E67956B27610F4565CFF71DD35A6E52AB187C095
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\vcruntime140.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	89A24C66E7A522F1E0016B1D0B4316DC	5340DD64CFE26E3D5F68F7ED344C4FD96FBD0D42	3096CAFB6A21B6D28CF4FE2DD85814F599412C0FE1EF090DD08D1C03AFFE9AB6
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	B2BD69D7009289BBB76096EBC1D6954A	7A99D32D0C3DE60E4DEB9FD17A91F82A1B6C87A8	7416CDED6A06E80AF77AE6A608DE4C1CFDAB79E40E08B0E54BB8967EFB33B553

Windows Analysis Report
dstream.log.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report dstream.log.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
dstream.log.exe